23542300x8000000000000000399024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:44.965{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79897989EC81986A63B6B41242052F4,SHA256=2E47C9F6BFEBA83746F794DD2969B51D9BC4ED789DDE864F9AFC97EFE45A93A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:44.367{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDA5A39D8D1FED7659936ADFF186328,SHA256=C063DEF6DDB9C16C4C05A8B6F6870D62BDB9B9E48B32555E515C1D947B23CD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:45.981{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D72842B537D6DCD3BE100E7BFCB7A2F,SHA256=168697A9E1A147C82621D5B33EA08C14871F9DD9BBB62C383682F1930FAD297C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:45.382{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD61565C98D6B69519063B20955AEF0,SHA256=E4217058AEC49155F2B6C611A7D1B023E462B0C7DEA69FF0C15DE6AA5C61A812,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:42.632{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60966-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:46.396{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B5BE91A335409F36FBD996E4B13145,SHA256=372922F8043743B694BC3A68FD865F038302E824FE83A518C36EBBFCD17B0145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:47.426{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2CB8B89CE70357521936B3BFDE5319,SHA256=3A57C49BE9382A0B73C2671D3E4CCE9C45076F3517E2DE90A1AE4AAFC3E0AEDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:45.452{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53963-false10.0.1.12-8000- 23542300x8000000000000000399026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:46.997{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95186E345E5B66B21DA53D2ED3DA6DCC,SHA256=3EFB0473822462909F519E6766CFDB4EEDFEB6DCCF738A073CCEF26F5FA05810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:48.442{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50CAA28FFAD1471DB7B273C58DB9503,SHA256=6D623CD406FB0F8831D483F7E35C0FDC3EA64D70492C6B5E967C23C05871DF8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:47.997{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C778E1BC1016DBBFA068F4BD02DB09B,SHA256=A5DBBF7F545B1710145EF210FB2F34C2F994192254672174B492A34FB700E2CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:49.216{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB2E4740CBEFA85CB5C28C11137DFAE,SHA256=292215B6B0DD951EF4CE180894F975CC3E4CD5909C0BFE39613C37FD734E8A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:49.460{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B7E1D38219D85566BD2A27BE5E2354,SHA256=9A81C7F54A207B25C034DE1BC93D275E4C40C04B2B66ED7FA5367AD15428732F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:50.262{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D9DBCB8F8C18F9B759BE5A8B20991D,SHA256=B70687B751E077B1F96CBF4685F2EFC67900EB7444495059649A4FBEBDA9D76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:50.466{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CCF5C740C1A1184E7FF4DDD03A3014,SHA256=DE71DAA0E29D2785599D506AEDBE7031F0B41C4B17F6DC207275E3F1A6D1BE58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:50.446{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:50.446{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:50.446{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001454294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:51.496{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82DF6E1C38F2B39501CFE84DC18233B3,SHA256=220E3404D3B6AF7BDC3FD228C473B8FD4EB891B69E78AAAC471F2BDA959E5F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:51.278{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD91AC6C600445984F968B6C7E8552D3,SHA256=2F7E2DB2B9A29E6E2CA09E0E88543E163314446916F8E936084A43DC77F74184,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:48.624{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60967-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:52.526{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=393827AAB4D2DC47B1B6E1A5127620F5,SHA256=2A2C3E2DB7E98C97714F3E4A363FF6EDFF17E53C39E3430E48AADC390E5E257F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:51.436{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53964-false10.0.1.12-8000- 23542300x8000000000000000399032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:52.325{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=002214C4EC90126784538630529333CE,SHA256=75EC9ABC2785671D61544EC7F7A8CAF1F8308D9F8BF6CB5E6B2FD6D58D587EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:53.542{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B746B1FEC54894ED57CC9F8EDF903325,SHA256=752DC527D9B68D14B940BCC8A881231C9FC844725F12ECBDF4D11113952CB355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:53.372{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8480469FF712CD9B05F22D48D64E229,SHA256=C34C11AF21D99C1FE08068F84F63E38C1CCAADC149934CEF3DA36A0AC8F5857F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:54.561{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B6FBABB839B9ED1941732D4CFAF604,SHA256=06F8F6FB3FD3CD17700B683C5F67C85922BA0CA933DF9F213C695C282E0FA2A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:54.372{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38D442857F465FCAD32B16FEE8872B5,SHA256=4F1B006AE4F31D68B78520294CAFEB2ADF20DBC1C615671041E9256FE5E5257E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:55.576{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B481ACE61D571733DD2E8D69E059460C,SHA256=E50F357E765924E23D30893E96EAA51F101328C9782D54A936EB9CCEC5D7B103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:55.372{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63D07B565F576D93B8A1AEFF5FFB0AF,SHA256=846EE5BFB8095B90B7EB8A43FAEEF4180EDD8FD0B8F5422475C51746B8768990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:56.590{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5852CF66A6DA1B2CBD5D80F79DFEF04,SHA256=272B05AA8106321EFEA865C0FE08D5501EF80FF841D43D298A82B4B114E16540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:56.372{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB4414F163AB1B4366213C23925824B,SHA256=68E5C53945DEBF415C62555828580E72E1A35945187C0CAD67207E6DDCE742E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:53.672{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60968-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:57.605{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B05C6CF9576C76832EB38942F0A1F5B,SHA256=4FA6DE8B84E4958E3B6A2F3BAAF133A3D028B523B93B0E70964F0152EE6B257C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:57.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6DFE4CF7D4933C3DC1B8331F446F2A,SHA256=838F93313A60C4AB57ABCFF6DC1F6EF3DD6CDF7AE94A9B7C979EC3E22A02BD94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A0A-60E3-380B-00000000D301}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0A0A-60E3-380B-00000000D301}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.957{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A0A-60E3-380B-00000000D301}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.958{D694AEB8-0A0A-60E3-380B-00000000D301}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:58.638{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD159CE6C087EA4F8BFE34D3AFDEF3C,SHA256=C87EA8FE76E0FCF3ECA8BC9129036B4E7EA8B641E3DB68BC35D54311CB7C4ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:58.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E626E19B6CB58D996DB2A10F1586481,SHA256=AF6A014A5B33A1C0DD7495A229472F3BD3126A8D27A5FCB321570B9161C57EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.656{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CFDBA70D2A6DA5C7394FA59188A6C4,SHA256=211D78307B7F7995290B8BB5824DE7B005EB7489C0011A2B83BFA624D65C1AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:59.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4721FB6CD238EDEF2E5ADE69F03209A,SHA256=FF0848A34DA4E7BCE5D191648DBF64032CA5DD25491817895F26E4C10265DD52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.639{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A0B-60E3-390B-00000000D301}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.637{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.637{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.637{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.637{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.637{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0A0B-60E3-390B-00000000D301}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.636{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A0B-60E3-390B-00000000D301}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.635{D694AEB8-0A0B-60E3-390B-00000000D301}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000399040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:32:57.468{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53965-false10.0.1.12-8000- 23542300x80000000000000001454331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.686{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E72D549BC53EBD0F015AD0F725FA25,SHA256=3E2F2A60ECA04A1020C425BC5E0EC5629A33E7E1B0E265BD537454C279AA6EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:00.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548C7B2DDE2AE95F10433BC327AC5652,SHA256=9A29DAA51A9A2431DDA440CEC1EC3DFAF0ECDFD443B24D71B7226D01DB0320F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.470{D694AEB8-0A0C-60E3-3A0B-00000000D301}12526816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A0C-60E3-3A0B-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0A0C-60E3-3A0B-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A0C-60E3-3A0B-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.318{D694AEB8-0A0C-60E3-3A0B-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.002{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62C07E4AA1A30A2E6A0D02A3A23D49CA,SHA256=A16AF25C2D773C284938ECB941698E972D84880F24C5D20AFE54DCBA44FF0207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:00.002{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B05CA0F5066CDD1AC8C82E74E0E0EAE4,SHA256=9FF994A68B8ECA753D097628D044B63A010FAEA88D81012F1934651AB9DE7FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:01.986{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\aborted-session-pingMD5=0D4C030C1FAABAB1A7B4DC5CBFCF8269,SHA256=E12F0C07CDB88042FB80ECD6169B974215B4608B64B7371056ABCE3AD10628F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:01.716{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6A50F58D8520F3E44D8A35BBE61ACC,SHA256=A2A30529036140A4F287C030F40745BEB740A90D406725F279F7622C4DAE410B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:01.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3D7B5E7B716F55733B5BBF2D9BA102,SHA256=664DB646A41D0B267A960A447E4459194F115789A7CA34FBC10657F775548978,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:32:59.503{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60969-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:01.354{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62C07E4AA1A30A2E6A0D02A3A23D49CA,SHA256=A16AF25C2D773C284938ECB941698E972D84880F24C5D20AFE54DCBA44FF0207,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.936{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A0E-60E3-3B0B-00000000D301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.933{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.933{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0A0E-60E3-3B0B-00000000D301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.933{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A0E-60E3-3B0B-00000000D301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.932{D694AEB8-0A0E-60E3-3B0B-00000000D301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:02.734{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E81A05AF0B26FC343525316A3C075DA,SHA256=C53F18CCBF0020FBC706430BD4043578B8370101220D253DF3ABDF58A414BBAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:02.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51B0A994BE6C498A658BE50CBD269D3,SHA256=9547D5BBFF5F7DD416DF64B9E1DC2D02806CF93EF8BA7B0296CC6B95C60EADFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.967{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A44887A46BF80450485752CE799C7CDC,SHA256=54602F8D687F60C2AA29070A5AB6533E6C5218E232B44D3E5A287A8B66E7FC6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.751{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C52345C6AB0BC3BCD1AB9ED0CDC2FF,SHA256=865A063E193AEFA90C5DFAF9EEE150973246700AAF76F7DFE54499A7B03EC94C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.751{D694AEB8-0A0F-60E3-3C0B-00000000D301}58081872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:03.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047118F863D56DF8A7DA5777DADF0835,SHA256=F277A92877881D00D864FDC00CDDDBDB4DE191DBE33B32316E6A908C81D44846,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A0F-60E3-3C0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0A0F-60E3-3C0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A0F-60E3-3C0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.614{D694AEB8-0A0F-60E3-3C0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001454345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.083{D694AEB8-0A0E-60E3-3B0B-00000000D301}2848724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A10-60E3-3E0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A10-60E3-3E0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.966{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A10-60E3-3E0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.967{D694AEB8-0A10-60E3-3E0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.782{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE6968C97A8DF0190DE39D0F5CA8E48,SHA256=A2F457491DD920ABB3B0CA0F78A76ECF5DD84646809296DAD0154705574A8291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:04.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B70CA6689A0E6556FBAB19ADCA1C2C0,SHA256=288B1E92AF85599454BC77EC7386EF451E2047CE6CF64E063792C99081B39CFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.451{D694AEB8-0A10-60E3-3D0B-00000000D301}52846480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A10-60E3-3D0B-00000000D301}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0A10-60E3-3D0B-00000000D301}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.282{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A10-60E3-3D0B-00000000D301}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:04.283{D694AEB8-0A10-60E3-3D0B-00000000D301}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:05.796{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4509531D122101317737776897ECF1D,SHA256=474F119A0BB70069E1C60E9340A67C39E84251EC1D9225A088E161F6CDA59656,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:03.454{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53966-false10.0.1.12-8000- 23542300x8000000000000000399047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:05.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CBCF26A08E287DB5F701E330319DA4,SHA256=1F1CB51574CB120CF60F816AD0987BAEB9EB4BD7A7CAC8B40811E35A3EDA3EF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.377{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60970-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001454376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:03.377{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60970-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001454375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:05.312{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=648FB90FCC6673F3F0F7CC28B6B03101,SHA256=9A0FC2EA63B6F05AD043E2F76B7B7D96B1B13F7AB30508B6DF68ABBF1B01646A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:06.811{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90A120760222218EC80FFD2E63EA840,SHA256=EFE288041537882824084AE02D8A879B78FD2019A2D220CA85F33D6F084C666E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:06.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42BEF06B458E768F23D4C20538D684C,SHA256=624F039386DE12C976C92B2EB5FB592C52D20A4E0E6A7A71003F9041671A9FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:07.828{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B4E1C7A29598A2CC972A79C7E3F330,SHA256=02E931CAAB588A9ED9D590563690B93D5171DAF90BB22495516FB3E1D0C960CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:07.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201EBE2ACD4B5917420C4AEFC79F45DE,SHA256=8FF2C0DB62D706333310D7F0A6752584303045EB7D21C4CCEFD33968AA3323C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:05.529{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60971-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:08.846{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCCBE19CDD98F6F1A65F39FF93B93D5,SHA256=38E2DE1512542BB1ACA18605B8A01AE503CFDD5F6A51A351B1B9EB27C56B026F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:08.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6AE192155B077D116894DB892D74C8,SHA256=183FA17151BB9316516D7A29B01D9153D86DA4FCCD7ABAD39FEFC25ADF09B250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:09.876{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6441519A14D5AC7481BE50CCDE0ED96,SHA256=797A837E55DF81B9593AD609B167EFECE38E895BDCF364EA4CDC60BCED351F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:09.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF5DB7376CE290CF08E13D2E4EBD1B7,SHA256=D298D4E57EA950C0A9D4B961DBFBC67240A67601DA26EA541CBDB249449A6B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:10.927{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BBAFB126709E28E5AA498848F94E7D,SHA256=5D4F1E2A1406506B9497FC91B7F57C252F44412FDC92F220D078366E9329AF58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:09.218{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53967-false10.0.1.12-8000- 23542300x8000000000000000399053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:10.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E5F7D0DB02EC39DE299D3E233ED325,SHA256=E52D80621F02360D34B75667DA3D847FB2F003B29F92AC3BB52C74152B707F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:11.943{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9417718B50027A132402555E99416D8F,SHA256=C4543A54A9BB088F142B3F152E824ED3A643AC2696DA57ADCAE1B7C05589D8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:11.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C92A83E235A11510CA9EC14B4229824,SHA256=1C8D9B028EA41C68D91F38E2761582E6ABC9149228AAEFA99F8A20181CEDE4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:12.957{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39625F59F23F52449001351CEBCD21F,SHA256=35B4AFB04CEDE9777FA09A19C88C2717B4BBA6D0FB3E5447F12C051B63937BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:12.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A861F2A4A406881242C49FD0C8D631,SHA256=74981E6A3968C38DB680AE82890223A2A1F8A1774D035B99654B062FBDBA5746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:13.972{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D59DE28A7CEB6B711799F301EEFD4EA,SHA256=CFCFF520959D49511D1602A47575741A924115C26EC56F9F1B16F1AA5D1C6F88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:13.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152CBFB5C0E92B3A099169E2ECBC9F57,SHA256=DE99DB3CF8BD1164BBD19415451EC645B18A5EB62336D448D8002EE4E46D6A21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:11.537{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60972-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:14.986{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B66F12A3AFF3D3D33C92DA1A58AC34,SHA256=730ADDB960DC6DADC1DECBB49E786797791212C33E0A76FA81527F328513BA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:14.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536D8397BBE7B86BAE70A43E43A87AD8,SHA256=A030219BB3EE7FB17D1BDC568759FBA6D0C23018CC246FFE10F6A25668EBFC72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:14.468{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53968-false10.0.1.12-8000- 23542300x8000000000000000399059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:15.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D82406202FE33CA465302B2232ADAE3,SHA256=2B50714A17B84FFA4B706DB1B589EB5DFE6DF56FD9B95EEA37BC5FD7FEF7658F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:16.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997E7CE7815D5427BD7B89693D079780,SHA256=85E810450E36469CD37429D77AF281EC7ACAB9E18D95E40629CB0030AE42A04D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:16.000{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F40A26C6021E2BC7C0682FEA8BB954,SHA256=BBB9507E64F0092C1EF7D87D88E7F0E2BEAD7A15F8B30427B51FB069229514FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:17.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE638301024A94F4FFBFCA0C145B483,SHA256=B7818528B324C089975B91D979CF4FA3139B4257B90C448307C0D87476B2267A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:17.018{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833B53CC0BEAA12306490B4C67967E3C,SHA256=0E81FC89BC99DAC23A60311AF6C90C0F7C4711DF871302C647F8F645FE5662A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399063Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:18.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55B8DEB2B1E3818D73B2D986F9B9CD9,SHA256=A67DDC90378BA2C9656CA0D562B6AC071A56B81AC31E1228FCCBED2F421EFCB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:18.051{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3889BB4761703AE4E480736C49293702,SHA256=E18DFCABC19D671A66F0D0586A105CDE6C0903C26F9B4052D7833D79DFDA9B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399064Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:19.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEDD22589B31A327A5E8B07B3BDD589,SHA256=316CA05BA8C867C8D520C6E93F70BF434D2A8FF064B11FD7768D814923C165DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:17.561{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60973-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:19.066{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B7F2FB7AE31207896F4781708CBEE1,SHA256=DD77CBDA10F6F4741C4CC0B304C342F1ECC590A7ED51AD23D6DD6D7F4B3690F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399065Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:20.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECD91BF8003B0A317B0D363C9E67977,SHA256=B03D7F48543A9514A10E651855F1CE0BF2598F97EC0F3C89A7E7E1346B4ECBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:20.081{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D734D00F76015417B5002627300504A6,SHA256=4C9E7BF6D83DD3C8EE1F6A25085AF3CCEE82F70F30F5CCC000E07353915F3BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399066Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:21.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF7A1DC805F6E611F1D8DD5E40016B8,SHA256=CDB25E1D208FF69823A0FD076D649290F47FDA75CB2CDC2B66C4429D770255A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:21.095{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B12E13E8F1098903CFFCCEB1C2B648,SHA256=EDC0B820EA137986DCCF9F9765C61F10A02D161905496847E62AF701BFDC30C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399070Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:22.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0146909C5B256C0D190239C5BB1E7A75,SHA256=025B33162A3C5D002BEA10F1A2E5376470A7ECD74C088083F229BB0ABD12F00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:22.113{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92C73B5E1D7253FD0EE9A605236EFCF,SHA256=5C0834EA1B9480D9A77D9C87517C00883C6A6B8E85BA2E8983FFB5DEA8A1C6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399069Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:22.122{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E924BF87336752B52DDE092EA7193B2,SHA256=4D75E8F84FF60465C1908B384675AD20ED55CEB76F531165170B99C19CA36204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399068Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:22.122{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=614257C0351B1C167B87EA0F6959BBB1,SHA256=3BD69E1EAB036F94960C922F8C026A7DAEB19CEE91F3B92359D5A865587ED8D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399067Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:20.249{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53969-false10.0.1.12-8000- 23542300x8000000000000000399072Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:23.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA064B5A250F943800F3EBE52F21DBC1,SHA256=BCE12C76E77BAC3EB02FFA237122C9F937DA4F8B1E8E7855C09A95133D9613B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:23.131{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A527696A1D34719196C2C660FFD2D8,SHA256=E6E7B4B4EC4D19485A68D6B60BBF12AB52C3A4B21E439B1639BA1B47642B9745,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399071Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:21.019{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-61152-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000399073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:24.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE26F543BE982DF0AEA6B361F694770,SHA256=D27BCCC5F57426088805924128821B826154CBD56019976C0E5A0E4F082A58BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:24.146{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66217471F65DCE0D7C84AB16640ECCC2,SHA256=314F7C738EC4536017EF6A3387120B06C3F07920D6338D77B8E8A2092BFAE9A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:25.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1657048177B19A1C8ABABFD77EBB393A,SHA256=F92480B6E0A27EBE135E2B4B050265E0116E43830181FA5B60F70A8BD11A5914,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:23.593{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60974-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:25.160{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC3614E4863DCA10D13BB6C7C8F10A2,SHA256=8BCCB0FB707ED62B6AAC8C68E20E51BC96C39684B09806F09AF04C1DAF22C3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:26.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0A5CBAAA425B254A9E921671C771B9,SHA256=293669D55A9C78D121CF169969483D7BD82404ED4023BE9B97BAED25893805F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:26.190{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD6688C2348563610A80D53928E5720,SHA256=F0509BA96D0B0D6F4E9DC76FFE28FF60E1C0707FB1EA50BE24CC5CC000396467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:26.372{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=27DFB73D54298AA27B86C45CDB20658D,SHA256=DB803251174EEE27A9E6E1BF0CCD9BB7C440BCAFD5A36B2EFAA5B0FCB929EF47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:26.234{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53970-false10.0.1.12-8000- 23542300x8000000000000000399077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:27.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0695B3076D6219D19FA3268C1004707A,SHA256=68445B772C614C120529A88C7C405D8C21986128E53BFC75462F999EC27A5270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:27.206{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC46151180CB78769AB665AF88430DE1,SHA256=6284C1763BAB9BA8807534EBC9F12591CE1971E9A935E9FED991ABF3E5C903E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:28.225{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728090882D8E3D4F2C037BC107B3F1F2,SHA256=F5EAEAD33FEFDEFFFD5EDA3DA0B509E99C0F81B8EB0D77355C7BCAB6A1F728A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:28.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F519C686D56F73B6BEF868B852E5F6,SHA256=E2897C935271AF0F9BFEF5D05F996AC993BD474ABCB7FAF58E9F66D869AE253F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:29.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B4E67201B4E22E64C2C8507ACF93B6,SHA256=19829350EBF11838F2952640EB4A356F0CB476A74665CDE76F987C592CCC8ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:29.239{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E91681A058E6E02B3B773612A2B9B15,SHA256=70435A1601E1F35AA89A21D80BC4608FA823A7E2AC2FA1A2A01158AE008607B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:30.434{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D73DA42F6C5E8F13F22AC3736D3C61,SHA256=E5672441952FF1ED0F28D5FF4136E0662673BBA3C8C18D990F660E941AE6BC5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:30.604{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:30.269{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994B4792CD122622F7812CD8E5075860,SHA256=162389B9233E5DB92C0D182C9B77A8874980D3A0174789B35FF294C861258051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:31.544{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5895550005FD4302D641EE4CF3F126,SHA256=E151AB664348F69F8DCD97E96C9D5705870C18E33353AD3DE7A21AADECEE2D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:31.284{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE0CECBA3926F5557FACCBE6D3F0B83,SHA256=F93BC19BB235118C58B3886EB62C0196F4EA699A3916909478D3660ADFA102E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:31.294{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:31.484{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53972-false10.0.1.12-8089- 354300x8000000000000000399085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:31.453{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53971-false10.0.1.12-8000- 23542300x8000000000000000399084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:32.546{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F5626376C0211E938F7C37225431D2,SHA256=831E72F487267725BA6744F29202DAA40742564C37C3C0FF9317C7CD98DDFFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:32.303{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E64028C13044D10CF24AA32E5CA609,SHA256=515C1DA907461685EB72FDB967B807616C633021CFF54DB5189CE7CCC4C5EF88,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:29.632{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60975-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:33.668{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC343C66E70FECD618939E216869753,SHA256=516BB021DB66514EEC23218C1603913D3308C97C9807BE80A070BE06559F65B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:33.981{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=916C7DF7E4CE5991B384A15D71F48F5C,SHA256=A495A5A5E706FF6A6D3EC61895275403A7D79619D1473A277E8CB0A135F97BA3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001454422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001454421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01510b62) 13241300x80000000000000001454420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77199-0xf766e8d9) 13241300x80000000000000001454419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a2-0x592b50d9) 13241300x80000000000000001454418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771aa-0xbaefb8d9) 13241300x80000000000000001454417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001454416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01510b62) 13241300x80000000000000001454415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77199-0xf766e8d9) 13241300x80000000000000001454414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a2-0x592b50d9) 13241300x80000000000000001454413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:33:33.381{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771aa-0xbaefb8d9) 23542300x80000000000000001454412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:33.334{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65EF30AAAC109E3DA29EF83F256AF1B6,SHA256=F924C3782B806F692870B842C3358435EC0087E356160404505E7BEDEBBD4D8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:30.032{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60976-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000399102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.920{7F1C7D0B-0A2E-60E3-A70A-00000000D401}20961868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC984F1D58B6206CDA0BB3ACCA19792,SHA256=5D7551CE73B33B0A121159E6B34BF28ABFFB3734B45F753D687B3362332FC53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:34.349{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B753EE2EB5CD86A711ED1B0C755C0A7,SHA256=E78C7B33F437B80C4EC111312A87C7A5853A12F3E3CA3EC2B3EE7405ECFBDCB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A2E-60E3-A70A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0A2E-60E3-A70A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.623{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A2E-60E3-A70A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:34.624{7F1C7D0B-0A2E-60E3-A70A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.779{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C38CDE1DABC6723419E3E9E014057E,SHA256=0DF32ACB2A72389425B51EAAD65D9C8B5A0F2B589EC4E3AABBAFD87CDFDF421D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:35.363{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51205C494B02383500997C2E4EF70EDB,SHA256=2579CFC168BF6DBA07F1FF03601D08B63391E9BDD7BF753EE55B498FF636BF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDE7EB48043686940942235A31386195,SHA256=B67A6CD2E30742230A60653C6CF695B2751827C58929744C5050A93D50D84ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E924BF87336752B52DDE092EA7193B2,SHA256=4D75E8F84FF60465C1908B384675AD20ED55CEB76F531165170B99C19CA36204,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A2F-60E3-A90A-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0A2F-60E3-A90A-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.623{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A2F-60E3-A90A-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.624{7F1C7D0B-0A2F-60E3-A90A-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A2F-60E3-A80A-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399114Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399113Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399112Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0A2F-60E3-A80A-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399111Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399110Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399109Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399108Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399107Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399106Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399105Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.123{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A2F-60E3-A80A-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:35.124{7F1C7D0B-0A2F-60E3-A80A-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:36.951{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C7544961FC82087235A3C05725E19E,SHA256=09BB9D17814EB24A06DD4E2E8B1D7D7D65AFC2FE9C9B1E849E83F002505A2BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:36.378{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3979413A45EBDEE6971A7A4E9FF53D32,SHA256=A51F0DB071E61A91F0545F72C43A3787388942AE3468063BDA95C65689CF8717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:37.414{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA63BB04D89E9314C84CC6C8A515556,SHA256=734B097294EE73E21F6099F65D1D1D8F4FEF1B2EAE94B2739AAF0FF60F7348F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:38.429{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290191CED9F70E32D86246E20796F5A5,SHA256=E9D2444A0698C03F444AC4951150C11DDB974012C48126571D0B3F5157F08469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:38.061{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C745C401391CE9E6282D0B31F50056D3,SHA256=A25E21FB3E15913324997CE2D793BC1008965FAC2A95E49F6805D52799C86D69,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:35.642{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60977-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:39.443{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA1AA4FDEE90C9FD323D42AAA95AF2F,SHA256=69976EC4F9286D1BE635FB733C359DAD7D76F1332CD982BE6EF99683E3461345,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.826{7F1C7D0B-0A33-60E3-AB0A-00000000D401}3004972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A33-60E3-AB0A-00000000D401}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0A33-60E3-AB0A-00000000D401}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.623{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A33-60E3-AB0A-00000000D401}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.624{7F1C7D0B-0A33-60E3-AB0A-00000000D401}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.420{7F1C7D0B-0A33-60E3-AA0A-00000000D401}1444708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000399148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:37.439{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53973-false10.0.1.12-8000- 10341000x8000000000000000399147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A33-60E3-AA0A-00000000D401}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0A33-60E3-AA0A-00000000D401}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.123{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A33-60E3-AA0A-00000000D401}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.124{7F1C7D0B-0A33-60E3-AA0A-00000000D401}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:39.061{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7D2562DAAD0151F6DEFDE48DCCDBE5,SHA256=2C302BB22D8441B9CE3372DFBCE0E661061C96A2C701E658DB8CF05DF8C96B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:40.474{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654F9E04BBB25787B91EDA1588076B07,SHA256=CBE557222C5D04530BF21E42B92B1B57552DC477879997DCCAECAD0E07CB5D5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A34-60E3-AD0A-00000000D401}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399187Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399186Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399185Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399184Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399183Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399182Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0A34-60E3-AD0A-00000000D401}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399181Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.967{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A34-60E3-AD0A-00000000D401}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399180Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.968{7F1C7D0B-0A34-60E3-AD0A-00000000D401}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399179Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.483{7F1C7D0B-0A34-60E3-AC0A-00000000D401}26288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399178Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.342{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDE7EB48043686940942235A31386195,SHA256=B67A6CD2E30742230A60653C6CF695B2751827C58929744C5050A93D50D84ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.342{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60DAFB6B4E963BD9100EECCB4F1DA34,SHA256=0D91AEBC361304087B7A203568792AAAADDE45F02FC33014801DAF7735595111,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A34-60E3-AC0A-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0A34-60E3-AC0A-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.295{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A34-60E3-AC0A-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:40.296{7F1C7D0B-0A34-60E3-AC0A-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:41.475{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483218A8F8DEE54BA607E3BA9183EC90,SHA256=83759B4030A01EC417F887332D8BFB7C298890579B72F07ED3286884EE288EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:41.483{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8B420FE84EBBD80A059861CEE56AA7,SHA256=1A0B2A330C7CB2519228CBFB6E9B34066E457F1DBF50DA045929E5514CC170C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:42.492{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3F95D17E45A9552CC23F8F13472540,SHA256=C6217BDF1C18BD4BA2FEBA702DA8E7C3C530AB78BF376F46C039B27A4CAD0E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:42.561{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECF14A726763E1D4771DAC124679E3F,SHA256=BC18ECC15676F092F9D6F8CD60E379B8E9CC07BCC3094D84236F90944F72CEC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:42.201{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6D6B0EBB8B521D55A23DA6C613CA8E6,SHA256=350F1026F0A0624E8D433067044C37110B9EE3AAE1AAF4B4B34F769D30A6E334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:43.511{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324D299EDCCD31C6806E4629B44B1822,SHA256=49A50178EA5F49871712F42ACDF26FFEAFA420428859035055E687A9FF5E538B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:42.439{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53974-false10.0.1.12-8000- 23542300x8000000000000000399196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:43.608{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDE5BB301BFE008AE5AF5DEDDDE8567,SHA256=DD7FE5BA8DF5E4CAC76153A050E55FB3B3D01A2176D80B6E3AA1A8C19E0042C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:41.638{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60978-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:44.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772B2BC6F010FDF04E5486F78893724F,SHA256=341929327920988D1E50FBEBCB82385BD9D448F715548BAF3AA0F026DBF9CC89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:44.525{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=287211F062E94B8E856513FEB2BCDCA9,SHA256=C0F4B69BA78F5B2D0A8C0EA845D4299A8E878595AF0FDDE3601C48BB17380D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:45.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3367306807715C8C1FCE03FD75A305D,SHA256=1A1C0ABD3EADB69C1B6240C0DC57F1A69C558AEAE87CA955B4F776D8A6395D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:45.540{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602ED9523E74CCDA332FA77A9725E300,SHA256=DC30A153A6226AEE32EF9FC64E4783C6A2DDDC1A2A5A00625D4DBF1E2EDEE09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:46.904{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C6F3BB7ADA88FBA7DFA312423BB643,SHA256=ED9DE8F2767FD2CBBB7FF0D08719F9327576BA64BC4168EA510C60D33003F9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:46.570{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF8E956F02E1662E0214AA803295E26,SHA256=FA1BBB5CF7745E1F780AB1D8820F718AB3ADE4EFF806171BFF7ED1C064E75990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:47.587{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72761910EFF49F6ACF3A7FE61D56772,SHA256=66BE4442467EA6EC34550C21B92A02EC4278761F70B1EB200CFB360568CD9635,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:45.961{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-31683-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001454440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:48.604{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78D091DDCCE7DF9B7AFE542C84FD573,SHA256=B6599C3F919FA19FDC0D814DC89F50756191A6E22208CD24D149E4660CAAED66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:47.998{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708E100407476B673C4EB5A6625469EE,SHA256=7B9E9D9D575DB17D84D831A48FD8EC9242C0450D86D523BF8D3E5D4F6992BC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:49.619{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB55EC258B0A1EB2901772A4DD468D0,SHA256=EAB8C762C547670F76DB389AB4DFA60BC689F10ABC61CB5D2D4A4351A184477C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:48.998{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2FFB67F316AB0D863C3EE3B644E7159,SHA256=99F10DB4021441DC3DAEF2FB0C5EDA16B12F4103DDE9D500E44BB88A47BB969D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:50.633{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B0A795F848B2125C019643648E4810,SHA256=B8DFD4A8B332367E6A81B63D9F3D5A96AFC663511BB6AF269F49480174068931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:50.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF7D70243D95F4919CC56D0E34AAACE,SHA256=D4A4B9035CCB276A04B831F127D3156A59F40362793D83B7D0B821E326B313DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:47.634{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60979-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:51.663{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE35F223E2816CFE29C1B6B21661A65,SHA256=5805D14ECAFF7380112E5BF2B0CC81B77DC5AC337887BBE79C15004DB2A5FDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:51.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914329411F870A886CB2B16C648C06FA,SHA256=28F6967A83E651C4B8E3BD601AC367D11A05FD1CF930C83242DB063665E73CAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:48.439{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53975-false10.0.1.12-8000- 23542300x80000000000000001454445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:52.684{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30EF95657890D832087776E5AD824B6B,SHA256=1E06CF4AF68BF2810550F41CA9C91E0BC012DEEC680810FCF3E964CFE593DD0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:52.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552D353A8AD384B009D320E436BC812C,SHA256=5024EF8A65780C1D027FC942C0106B6888696D9F785D098A1D1200D0C85B65F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:53.698{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CF8EED43B7EA507D26AFECD9BCC28A,SHA256=95FB084DE62E3340038C55A6E5A81C10EF456F947C5E3B85F1A07372B9F3764D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:53.139{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD2D47AAE6B621A77D1DE600D3245DD,SHA256=7F15CE33E3F717A02108F7C39564680E82BC149907E8ADF1A102A9A21287FF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:53.045{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D5946237EFB76B87B9BF2BD280AF502,SHA256=C8FD71BDEF165800C3CEEF56291FB468B13D5AAB00C114286B96F5D871E823CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:53.045{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=309C16BD029E05677898B0FEEB6F3494,SHA256=21A3616A5C7B7D7ED3ED0DB05B51CC94FC6004A847424E1B276F25DCC27F4263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:54.279{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CE1A73F8C5FFF7E8A5959B0B4E7F5C,SHA256=EAE84DDF17936B116C0310C7940E63F3CD2285E4F25654A944FD8AB6382FB7E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:54.712{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235A8CBCCEFBEC2B026CDC7AADB53734,SHA256=51E29E833800C4B992ED7CC536A22530E977CEF62D5CFEA4B05F8FF28926983B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:55.727{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B019DEEB81B48B495D1470983F589F43,SHA256=057E1368E5ECEB47968A28CC4273EDC500BC5D00E8AD567FF284EDF94B89C060,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:53.627{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60980-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:55.279{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D293FFD74A7F388A73AEACC0913D2E0F,SHA256=A4F84CAF35AC4F53DF6E649D3CBB18801B0183095ADE2D31E0E14A3151A06D2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:53.439{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53976-false10.0.1.12-8000- 23542300x80000000000000001454450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:56.757{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7166457BE5CFCB9231B4F0CB7BD434BC,SHA256=A4B4861B362788B3BF3343D4188C2275D9A1CF5606BFABD6AA5BF4BA86664753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399214Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:56.373{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70106CA203E9D108FBECEA867D41F073,SHA256=64F777E6E0F5355AEA414B380CDAD940DE5F96C08AE08594685FBFBFC1277A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:57.773{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43216FD2779F6B3C316A662B5D3440BC,SHA256=E04F2DDF2C5C4C84EF2D9F5FF32FBA64ED2FB73DD8F9CFA79AA3AB077A12E0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399215Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:57.404{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0DEAA2FF5D427BAA4F480FC3103C15,SHA256=75E69593561AD3A69B23F5D3AC1B2575958B31DD8D9148667E99819590D8F886,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.975{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A46-60E3-3F0B-00000000D301}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.973{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.973{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.972{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.972{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.972{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0A46-60E3-3F0B-00000000D301}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.972{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A46-60E3-3F0B-00000000D301}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.971{D694AEB8-0A46-60E3-3F0B-00000000D301}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:58.792{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6698332F02527CB2C27236121906D16F,SHA256=78212888769674E7EC0D9182196FBE6FFAFA73C5FAE4263229635C4F1CA62229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399216Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:58.404{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C147A9A80785DAC7EBD7C2A7EE8258BB,SHA256=C1C66EE9C8C24DF6FBFF0453EBD1DB20D21DB55839CF3BDF50F4EFF1EF46FD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.806{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96E94FD5F12791918E30BC1D96569A2,SHA256=CDD16C4346CB0D060B0EC5542712AB3758902408DD3F7B1F8D23BB5EF3083244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399217Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:59.404{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF991E2ED8DFBD9379FA19147AED89CA,SHA256=6370D9C3DE87F659C6CF4FA5C283D6B137A557AD5E7C6098F6E1723095786ED9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.691{D694AEB8-0A47-60E3-400B-00000000D301}70444620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A47-60E3-400B-00000000D301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0A47-60E3-400B-00000000D301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A47-60E3-400B-00000000D301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.523{D694AEB8-0A47-60E3-400B-00000000D301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.821{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6881676764768761109FE4D13C3DE15A,SHA256=0139A88E41753653D5474EAD5A62187DC8AB725CE178D16E794D66DEF9974E03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399219Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:33:58.454{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53977-false10.0.1.12-8000- 23542300x8000000000000000399218Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:00.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52356AA3E2FD4ADE85506DE2B76C3FB,SHA256=69A40C707C2FA01267C606C0DE9339097C1ABA1BE6EEF9D096892F43683D891C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A48-60E3-410B-00000000D301}540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0A48-60E3-410B-00000000D301}540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.190{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A48-60E3-410B-00000000D301}540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.191{D694AEB8-0A48-60E3-410B-00000000D301}540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.053{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=574982A3A9C9EB4888BCDB6B05FC09FA,SHA256=70F998C8818493FC72BAC1AC28746A20B844C9C130D2843A5D377B837EC3C199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:00.053{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A456DC7F66DE187253374DB693158822,SHA256=8E0EFA6E68993D98E47A931B0969D12863247083D7FF998A975C014146AF5456,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454484Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:33:59.616{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60981-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:01.851{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD7EEDA0AD878E1F967A71E3E68F798,SHA256=BB91A05D838C98E08CE1D26D02087AB4E0F0F65BCE5F6012ACF3587BC619CA9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399220Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:01.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA93262429ED501EB7B04CAF9BF4B792,SHA256=5FA7FA5BD83DC3A12CF02EA8C15C3380D58C8F0FA464CE7030D5C2630EC7D203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:01.220{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=574982A3A9C9EB4888BCDB6B05FC09FA,SHA256=70F998C8818493FC72BAC1AC28746A20B844C9C130D2843A5D377B837EC3C199,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454495Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.987{D694AEB8-B3EA-60E2-0D00-00000000D301}9166272C:\Windows\system32\svchost.exe{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454494Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.987{D694AEB8-B3EA-60E2-0D00-00000000D301}9166272C:\Windows\system32\svchost.exe{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454493Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A4A-60E3-420B-00000000D301}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454492Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454491Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454490Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454489Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0A4A-60E3-420B-00000000D301}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454488Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454487Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.934{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A4A-60E3-420B-00000000D301}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454486Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.935{D694AEB8-0A4A-60E3-420B-00000000D301}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454485Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:02.872{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60F9C0F113199E46C4646E453221D7B,SHA256=AB36FFE438D479F36132A54601B8B6C480D79B6059E3D024945EF2D1D7878ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399221Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:02.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3974A53E8DAAA4ABA4C8C311ACE60A87,SHA256=9D3B269502E50AA73F76154E7E4A57A5C2BAEB52949A6A31D2AB4C41C854CC82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454507Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.950{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C6EF024B46A49FF0607FB20FB928233,SHA256=9C79F1B934BF9BA14937C13038DFC44445684DEC41A9157CE2FB8A6E09E87E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454506Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.887{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0001BB435553F3884C2BF3D058F8495D,SHA256=C35C9393BCC19BA9CC7BB3748150E7B3849684818DA0C80BFFA0FAA1CED933B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399222Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:03.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9BE9539D3AD1A8E8DED1D079BFDB5B,SHA256=3BAF70B187F04309A405E646ED50D72BB934E8A3E83DC5EBF17D9F025A632E85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454505Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.734{D694AEB8-0A4B-60E3-430B-00000000D301}63164484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454504Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A4B-60E3-430B-00000000D301}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454503Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454502Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454501Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454500Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454499Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A4B-60E3-430B-00000000D301}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454498Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.603{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A4B-60E3-430B-00000000D301}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454497Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.604{D694AEB8-0A4B-60E3-430B-00000000D301}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001454496Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.071{D694AEB8-0A4A-60E3-420B-00000000D301}54882696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454524Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A4C-60E3-450B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454523Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454522Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454521Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454520Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454519Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0A4C-60E3-450B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454518Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.933{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A4C-60E3-450B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454517Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.934{D694AEB8-0A4C-60E3-450B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454516Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.918{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D306D491726B1ECF1B104529E012449C,SHA256=94E515033BF04D605FDD217290272545473C78BDC92E80DFB6A0A333FE42B8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399223Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:04.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7A2DC5590289F881A9296EB38417E7,SHA256=F427754A8731BDB25586683E39C40004ECC650AA8CFB641191A4134F8E2D5EA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454515Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A4C-60E3-440B-00000000D301}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454514Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454513Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454512Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454511Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454510Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A4C-60E3-440B-00000000D301}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454509Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.287{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A4C-60E3-440B-00000000D301}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454508Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.288{D694AEB8-0A4C-60E3-440B-00000000D301}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454527Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:05.948{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BA79E3F28DD512708E071E115B98C5,SHA256=6B15124FA767A877B1079704A20A1C0A43B8D2CDD427CA9A9D069CCAC190736A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:04.423{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53978-false10.0.1.12-8000- 23542300x8000000000000000399224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:05.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB86858A5A84300B7B1D8992E033EC06,SHA256=CA042480F279162D9F4CA779BAE53CB475648FFC5598011916AE4B4B75BA8DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454526Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:05.317{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE45D216BA5C490C10D4296EF45EE53A,SHA256=65B19A02C598322D63902B183E98C28A5AF8241E01EAD25A65CB94B1F5C2CA07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454525Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:05.086{D694AEB8-0A4C-60E3-450B-00000000D301}4632348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001454531Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:06.966{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363F0D455D2667E44FB6351A513BEE4E,SHA256=81D7DD138560A70A4B9EABBDE830BDA62FF3C9C4C5DB4A1F931132E61A4D0A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:06.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECDA98A3F9E72FCF71E258DF3B6731F,SHA256=638A2C8E446A0AD8EE07B44157001F3897904A08883904265F47E56447AA8CDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454530Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:04.649{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60983-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001454529Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.382{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60982-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001454528Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:03.382{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60982-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001454532Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:07.983{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B62C5251A9D6064794D56AAC05CECFB,SHA256=B1D733939743B24D17FCDA91950E5F4FA008C55653CDD3D764F7491502749AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:07.436{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CD0D6366D0A5D0E08FFE31C2361615,SHA256=225DEC4DA757B1E35B423E3210C392EE48D6853A7D37E8A338321E2E9F0E9A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:08.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AECF0CB7B4FD0D829A9A47FA4508867,SHA256=A62E753FA7B52A064642F58D4A8510E7B326F4DB22E9A7C25E53B2D1085020B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:09.561{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA26110A43E52CAD5E4FDCC261EC3629,SHA256=85D30146CA091E8F8DBDCE2BE0D9F5C782DECCF401E55AA3FFE9BD87DC71F073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454533Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:08.997{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1250002E4ABD413E98FD44F2F6C0CE4,SHA256=B5E6DBEC5C86536A49E3541D306F26C52A74F8A47D373860CEA265B30ABDF706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:10.592{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E51F8261BA08C6A384604940DF20D3,SHA256=949339170A4D9F781B60E3C1D2DF5E4C3C0A23E45F6B78B274C1A7F56CA72AD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454565Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454564Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454563Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454562Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454561Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454560Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454559Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454558Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454557Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454556Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454555Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454554Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454553Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454552Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454551Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454550Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454549Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454548Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454547Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454546Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454545Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454544Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454543Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454542Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454541Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454540Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454539Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454538Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454537Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454536Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454535Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.127{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001454534Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.012{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F8B3875B73DF9BC0776FBB03987E2A,SHA256=F6EFEAB9D711363B83F38BE4B69A4C6BFB905683C7ABDDABEE8F68CA72A18F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:11.623{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B019A1FDF25128E0608541C870372A33,SHA256=90DDA9F3058DF7BC2B8386AD81D587A265DBA5A2D597400A914049EABE8ABFBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454566Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:11.210{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D9C2971B486D3C3E44A82B42B24738,SHA256=4F304DDCB65287E14A9A881199B6BF59CCC0CD07865FAD6256BD7CF568673CE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:09.423{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53979-false10.0.1.12-8000- 23542300x8000000000000000399233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:12.623{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E1C18B1EE185C3F75D94720CEA5E43,SHA256=1AC00C5D7EBEB6D99523931F36E3C4E67EA1F5EA0954867D1F3A36582B0443BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454568Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:10.642{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60984-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454567Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:12.293{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0ED7148042B4F6D66E42EF077957012,SHA256=9FF6CDDC135F0369A420CAC7579B0D6413A8953A30FBA782BCD549BAAB8DA744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:13.623{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC300D1B252C938FA00209C52AE1A729,SHA256=BBA6548CC78CA29467EB176390D5ED3A1FFEFA057B2340D3AB0CE57311DE598D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454569Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:13.308{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBB146229295734E1093A40385B6066,SHA256=B94FA3E99FE99FC83ADA6BE27BE72E940FE079A79C62BCC39357E5D90D0E85D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:14.624{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DED4FBCF52DF86A60B1F4BC29C6932,SHA256=A4BF3B551B9BAF399A9E0D7FD85B77C3DDE399E02CD6E5FEA357B4332E11646B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454570Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:14.339{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E202D7931DFCD52E99D17AC53CF6018F,SHA256=EE508065BB04BA753F909D1A1EA82EEB9157F47E612941440378154E81ABF8C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:15.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A86904A02F3A5A0C9252699D5D87B6,SHA256=108DF26DC866DE66F64B00CB6FAEDA0CD3312A0B64B68B75C677DA830306BD12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454571Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:15.375{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A822EC2F228057E35B0FEF546B7F4D80,SHA256=ECCC5111C19B2A74B5B9EBAA42840E59B0B61D4CB5499EE0AB5B74253626D423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454572Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:16.405{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B96FBAAFD76AC554F1A3AA2BAE5F12,SHA256=23F8ED149A7C0A02E9117203B983E976DE9113495A2A98A5C64CF3BA7A0AE6AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:16.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E40283CB3593AF4F1CEBAE3BAA4588,SHA256=9172782E9DF9B9DA4D88E0A25F6F67833E2CFDC109FF29BB76634C2D7716D27B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:15.377{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53980-false10.0.1.12-8000- 23542300x8000000000000000399239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:17.654{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3F17E4A950B15CC33FF0506DB1E80C,SHA256=93E66D2EDDD354A4D37AE90544BD992F5460689223E449D5BA10E12F806D4FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454573Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:17.435{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1EE4CD719D9DF8628F4D56D18F5BE3,SHA256=91FD9410B86AC47F0193660DDC7C4F75A2583D86A99D548D9576F0281C254036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:18.655{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6520A46B52A080117711F53760B4F979,SHA256=69EC3F341B72D08892192AB008B1EE77FA1AB50F67DA2C11E8B970BC92A4ED06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454574Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:18.451{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21427BB08F8EE6214F49540018B0C81,SHA256=485C58470292E9CC6195A9504D45D301CD9B740C024C7BA279E38A39CBD264D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:19.686{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDD04B8C186490CF0A3EFD667BF44E2,SHA256=5D02D6F404BB52097CBB5FF5C498DD78CDDD7CD87A3FCFD407A3C54C33025F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454576Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:19.470{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93110867AC31785E851192D2140E4686,SHA256=0658B34A1C650420215AE1C968D6023453ABFAC8890656719E0E5C4C9189C5D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454575Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:16.651{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60985-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454577Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:20.485{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBB6071EEBF807186442EE719952DD8,SHA256=81361F55ABE63EA43CB3AB5C4DB38CF129C3DC2EE4C4762D28A387AA03FA25AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:20.686{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADB8C4236EB66FEE41C51FEA2B85F9E,SHA256=D2FA82C7C55DD37D9D6881C96BCC694BCCBCA8B9A5C9E8F8610BFF08DC8775CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:21.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A993E5B898722B609D8C39F57BDC3631,SHA256=61C6EBE7E7283A2D35880813830B6C5C8EF48AF3F046EB94A3ACA6097D23C629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454578Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:21.500{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2496E6488E941D7CEC0D261456D5A8F3,SHA256=01B355AC3CFB69FD035E1063BEC9E5E0D50A94F9B5863F335302165BB61BAA3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:21.408{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53981-false10.0.1.12-8000- 23542300x8000000000000000399244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:22.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683D292755B7918F45AE4FAB878A05C8,SHA256=EAAE354CBCB765E844CD32F60AE3F879992F06134EC8CBCC73F9166D9A3C7660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454579Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:22.514{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8DAB9A78DD64EC37588797295F854C,SHA256=5EBA7754D6AFD7C259098BCE65AB67FBCC37114DB9DB23147FF335DEE77FA8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454580Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:23.529{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DAD7AEBC676C0B1580E4612847F94C,SHA256=1D1A9C820D7196D8AC8E5030965D6C28BF3656DC596B71C284B7EFE026DC9216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:23.717{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1EC954D0C4FC3408BB17F1B516C969,SHA256=FA605DAE6A18D3E6BF3577844C35F3A77CDC5B2B103F160A8784A8C1B808F52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454581Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:24.546{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F2CA4AF59081EF5031E37DD0D41EB8,SHA256=139B42D33913EEFB1E2048A8A1C4CDAFF7228C7595174EC42B3086B0D74452E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:24.717{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D99751686F3A53213A6D9EE4D518F7E,SHA256=9F5A798C50CADA8B3BC389CDB752A1F490ABA54A77DE6232C180E706C38973AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454583Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:25.565{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3347CF5DFB45B06BC94E56F5729DE1,SHA256=050A923873504A0D63AF72F010BC160D6C120CE22FB9315DAE7EF5921CD30EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:25.733{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558C1069A09B4014D0399DED6B389BD8,SHA256=B68B70304E93F726F68B749941BC60C22DEB679346EAED71DF3701D8D24EE917,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454582Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:22.661{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60986-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:26.733{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCDB46E8C3584B120E6DAC209A8A57C,SHA256=78FEB57C8B1C5010BE20D5F32BD0E7FA9F3E02F9B64B56FE403F2EE06F11CA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454584Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:26.580{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E035DB983EF50042E4C683B795544A41,SHA256=71FD10F9B39CC84F0EA2333291E620E6622B892B2D6996BD8DAB26BCA2FC30D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:26.373{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A8635636B5C7FB65A03D2413ECA00D56,SHA256=232D04B8DCC6C84C8ED149BEE12752AA3386B99F1F88B124C09176DFC0591320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:26.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8ED7B5579D8D41DA371B7ED641A8F7E,SHA256=650ECA7D504168618A23AFB998C4CD1D61C3A55FA091FA2E042084A02BDE5A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:26.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D5946237EFB76B87B9BF2BD280AF502,SHA256=C8FD71BDEF165800C3CEEF56291FB468B13D5AAB00C114286B96F5D871E823CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:27.733{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C8C82F1E0242379561FABA47F04328,SHA256=3AF384331AB8D47F7006FF7B805BC4467049F1F001D551766E415D8F4E18ADCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454585Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:27.626{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB51856B5BA564F63E21744D7D873743,SHA256=1FD35CD4F04C28057B628585865D789F90F12DDCB2D0BC7F230D634036A1E3C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:25.175{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-62471-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000399256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:28.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D176183B879EBBD44A16827495D61FF9,SHA256=4AFA962441C7B472E492ED02F7ED390BA1491B5DEE0B0CF3919432A00FD4F3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454586Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:28.645{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8469DB304A99F025416685D816D5B4,SHA256=2D148C90AF721539C7F36200709EFFBA792DE87A3EA1AD98CA738A13A1F6251B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:27.377{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53982-false10.0.1.12-8000- 23542300x80000000000000001454587Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:29.662{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D082824568A32F0E8B924937B47AB01D,SHA256=DF8C13F2D2720701B5FBF291ED5D8A75A9F06D7034924FBA912B92A07DAC1874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:29.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2F9F45936152455EB77939F1F6146D,SHA256=B81A8990AD998E7BCCFDEBD012540D4CF6247A8AE40E2F2B62E2F86FDA4481F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454590Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:30.663{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DD892B91B91DD401FF831B510E9584,SHA256=0E3F2F91DE4350F2DD1BFAFE0A9D230D7836B845F8F525EC73AEAA126ABF5677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:30.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BABD9AC824FE46094B31701427CC42,SHA256=A9501ACA12F730FEBF0E914E35F32FCAD74106633A87951559029B10C319271D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454589Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:30.625{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454588Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:28.655{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60987-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:31.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619AE809D65887C43C3A2875F4C0A897,SHA256=0314EEF032C97E797704B89CB5FC447674D7C85FE3879B8E4690540C7EA36F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454591Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:31.677{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F948FACFD5E3EF9F99D81AA231E7AE68,SHA256=94B9E7F50A9A7E0E55FF350FDB944FDC7F7201FA09E7A79D30999FD5559FF2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:31.311{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:32.904{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C7C58B2ABDFD70B6FB22644AE5B285,SHA256=EEDF793FE24B83ABB729292DF3F3CF5393D6E47B95D923A6232DE1C1E8331EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454593Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:32.692{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C221D250ADE6DFAE36DBC9E4BA45A2,SHA256=D48DD8B722D7FFB020D287DAE641D1221B26CF740B66B8FEC612596E3558D8BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:31.502{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53983-false10.0.1.12-8089- 354300x80000000000000001454592Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:30.057{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60988-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000399264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:33.906{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626B11B41F355E070CB9044845D5B3B8,SHA256=C159AA5C8EF018937FBF45224E2C7CFA1574F136BC0132BDA3B707CEA2D787FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454595Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:33.991{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C13CF125B081EF620AB5FA09CCC047FA,SHA256=027462433646E139696AB3251D50C77C28D8281A894D6570731C6D7B6EC4E183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454594Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:33.722{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC1661C0E24DCB3A43B561E92DA348A,SHA256=73BE410A9459F6BFD322DF2C0DCC7168FA6141246A9B7C5EBD1FA18FD01DDD91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:32.377{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53984-false10.0.1.12-8000- 23542300x80000000000000001454596Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:34.742{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53AB8BCD1BDBB80BCCF22CE295B95542,SHA256=B9A61B040538CE2CA8C0F2313AE3FA36F9314155D1EEF52600E884985DA0B800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A6A-60E3-AE0A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0A6A-60E3-AE0A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A6A-60E3-AE0A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:34.638{7F1C7D0B-0A6A-60E3-AE0A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454598Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:35.758{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED1F6D9BAEDEA2D534F9C1C47741F5B,SHA256=1F886A61BD17D0A487FCE75C31DAA6DCA667638FBD037A7B006D18161558881C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A6B-60E3-B00A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0A6B-60E3-B00A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A6B-60E3-B00A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.983{7F1C7D0B-0A6B-60E3-B00A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=193FEAE7F20101672FFB6D93AC964D16,SHA256=6DFC03021EEFEC70C11DA6EF8E7269E671E8677ED8A7F55496ABC01260279F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8ED7B5579D8D41DA371B7ED641A8F7E,SHA256=650ECA7D504168618A23AFB998C4CD1D61C3A55FA091FA2E042084A02BDE5A39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A6B-60E3-AF0A-00000000D401}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0A6B-60E3-AF0A-00000000D401}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A6B-60E3-AF0A-00000000D401}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.310{7F1C7D0B-0A6B-60E3-AF0A-00000000D401}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:35.106{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FBF9B2590B33A9308F848E63B350CF,SHA256=2EE8E056FB0FD86CD604E5341F571625F944E2711022FD68288C3092D699E072,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454597Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:33.669{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60989-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454599Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:36.788{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F41B2B9014110C7BD636478F4C4709B,SHA256=1413F258B43F9D1927A8AD6499B42A043C401DCAA30A1DC027A1683967C1CCB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:36.186{7F1C7D0B-0A6B-60E3-B00A-00000000D401}38322884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:36.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2947654619AE2DC67865F7F165803C,SHA256=B80995B43F3BE3639C005A64D2B6D73D036690B9703D96A1C7364A60C40538A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454600Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:37.818{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C9B7C5395C719A181F0B0B386ECCBE,SHA256=726CC22A62E597921930E5787BF0ECF232188894901638A84EFD1B7EE03A3305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:37.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB63EF399B709479AE4670F34BA1C42E,SHA256=DF847F49DF44B55F1D75DD69E22E8682FB0B6138463433C94333A71312EF9FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:37.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=193FEAE7F20101672FFB6D93AC964D16,SHA256=6DFC03021EEFEC70C11DA6EF8E7269E671E8677ED8A7F55496ABC01260279F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454601Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:38.834{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2C146AD5C0FCC2574CCDEFDF9AEB4A,SHA256=52239D1E41D0809F2E74AC820107B5E5144DD6F17BA9536E9FFD2762328D8DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:38.326{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348AFE660C4AB8973737A17A3E102E56,SHA256=977C4A7C01D250089AFDBF8F00E8F05EA9C34D90E244CAB352E18E1D04F12558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454602Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:39.853{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6A077A26D9A9D886D7C02C2E87E44A,SHA256=D9143F347808FB425923F7050E4F050B19D20A1BED8045A30CD2287AB50BF439,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399341Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.780{7F1C7D0B-0A6F-60E3-B20A-00000000D401}24323252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399340Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A6F-60E3-B20A-00000000D401}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399339Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399338Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399337Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399336Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399335Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399334Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0A6F-60E3-B20A-00000000D401}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.623{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A6F-60E3-B20A-00000000D401}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399328Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.624{7F1C7D0B-0A6F-60E3-B20A-00000000D401}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399327Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.358{7F1C7D0B-0A6F-60E3-B10A-00000000D401}18762324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399326Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.342{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D6D6F2529F51D5F6508676F9DC5549,SHA256=7AC957D189BF87AE4CCE646ED7E51DA6A48BBA20BA7DB03B8305D5CE37893085,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399325Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:37.424{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53985-false10.0.1.12-8000- 10341000x8000000000000000399324Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A6F-60E3-B10A-00000000D401}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399323Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399322Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399321Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399320Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399319Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399315Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0A6F-60E3-B10A-00000000D401}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A6F-60E3-B10A-00000000D401}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:39.124{7F1C7D0B-0A6F-60E3-B10A-00000000D401}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001454604Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:38.701{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60990-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454603Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:40.853{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6D18B986863E6992DC3DA2AC38DC84,SHA256=3ABABD92FDA4628A528777522B0882764FA2D5FCE947BDD2947CC1618B2442D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399369Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A70-60E3-B40A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399368Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399367Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399366Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399365Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399364Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399363Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399362Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399361Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399360Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399359Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0A70-60E3-B40A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399358Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.967{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A70-60E3-B40A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399357Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.968{7F1C7D0B-0A70-60E3-B40A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399356Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.780{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4323041A49A62EDCB2A1032721371B16,SHA256=2A0335DEAF2712D7606692F999BE57C98E2AE29EB5875CF628459530722EAE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399355Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.326{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5288B7C48AEA123C17A7B339E088791D,SHA256=B82C82DF2C8A5F0FB58C5D6F6E67C6325A8F0B78334B8A91DDAB17C26D081291,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399354Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0A70-60E3-B30A-00000000D401}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399353Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399352Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399351Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399350Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399349Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399348Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399347Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399346Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399345Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399344Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0A70-60E3-B30A-00000000D401}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399343Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.295{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0A70-60E3-B30A-00000000D401}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399342Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:40.296{7F1C7D0B-0A70-60E3-B30A-00000000D401}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454605Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:41.883{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8233EF2B302BB3662C3AE394AF26D4BD,SHA256=0F44D3D4EB19E867F8465E5CA5F0BB4760BE2B4CD835AB5191C5E1CDAF0667FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399372Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:41.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB35863D80482F9A34CEF6BC568EAF54,SHA256=44A367953F50BDCAC5D36664D60FF5FA5026100D092A16A29B4A52B8A8085ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399371Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:41.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E193B67E6512FB15FC6F5EEB07A62896,SHA256=6FC58EB860AF8061DA4BFD1D75A628FC890A562CA407AAC31FCC5F364CA72ADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399370Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:41.155{7F1C7D0B-0A70-60E3-B40A-00000000D401}18603640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399373Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:42.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D73A8BFEC2B2FA93DB72B6FC70E814,SHA256=7EC5BD4C9A492702C6258FD300D1848C4BA5C041B74063BDB32A34DC0A680FD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454606Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:42.914{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83022F8A4CE443CD9349E6A2AAEA76EB,SHA256=94AA91FC797E6473C7C880E403205FAAAB5E5888E761722B3A903B529F2C5809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454607Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:43.933{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E24B1100C44E5C7C2E89D85CA210EC3,SHA256=2EF2F9800B8BD649000B8E610C5660403D3C7632CC85D6E818E2DE665417782D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399374Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:43.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0EBFB0A0518A22988FA0266D73BAC9,SHA256=83599CF0A9038D2D1F948310F5943AA2510427AB953B506754A03441EA774A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454608Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:44.934{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8558BC2918134498D2FBD7CCF3D9A9,SHA256=53C9031C9E332AB26763B7C7E84027DA6F867E6F98EBEE910FFB195ED8C3EDFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399376Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:44.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC3E503886DBDABE4F5A29722728BDA,SHA256=EB76B2877371687AA2CC095732B5CB287F9ABD61DCEEEA1B50FB29B11EA068A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399375Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:42.440{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53986-false10.0.1.12-8000- 23542300x80000000000000001454609Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:45.949{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F7BB117CD8CF9B9B974C9CC05EEDFD,SHA256=887CBDA5BC75EF4998DDD7657480BDC601B15A2E5F55EB5335B8B8814814794E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399377Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:45.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E577C3E760A77DB12EB25CD69ACE25,SHA256=7293D796802218411122B67569AA39220F6B1C066749C9EA5FD0E7D436087BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454611Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:46.963{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2749102052C82C542A0F91B056EE21,SHA256=ACD659D2C721944AFA19ABCBA96FB557D241F05C4394EF9F5990DB3A2E9EE10A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399378Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:46.889{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC6B54F6D86DEA4F3F422CAE660E6A39,SHA256=CF715A0D6F6BDF2317FF25FFF7A2465167C7E9A892116C491F23B1EE5757E797,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454610Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:44.475{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60991-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454612Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:47.978{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80153B2ABF8CEBD04AC822AD4E1FF611,SHA256=F87432850CCAE6D983749C1BE6DCFF47764C1D33932AD5D79B117C61B12557E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399379Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:47.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB724D0C80CAE4DD3FD08FEA3B4A6B42,SHA256=CF85B3F8D34D47726E288D241BCA3EBDBFDA25329790C089733A73D4806DA7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454613Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:48.992{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0B5FA4B0B25C159E2368BD1400FA60,SHA256=1E119AB69F122EA6B72888E0ED7FA21CA7F53110600A4EF08F17FDD4E2DD31C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399381Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:48.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EB9A6971F588F2D455354E904F0A57,SHA256=E6FCE97A4C51114BE352C1182C26F6198D0FF3EFAD847B3D96FA0B0F87410347,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399380Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:47.471{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53987-false10.0.1.12-8000- 23542300x8000000000000000399382Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:49.967{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3BBE1311C4D1E512454DB37AE1E91F,SHA256=87BC0D3FA3B0ABEBAC662FBB7F56D692A3BE4AD2B555BB4DB934108F4372AD15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399383Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:50.967{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF033C2AEF4369EEB398A3FE2950CC8F,SHA256=4FED185CA7978064BE4045114156E3C81E55CF30D854C7B8F487EA0225AB6DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454614Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:50.006{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5643572D0471CE1A3AFF1D1CD973DCE6,SHA256=0D38AADEA0747ECC230C3C11615ED3647FE32600EEEFBCFDD933753F292E1F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399384Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:51.967{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3660EAEFB99499FC26306114A05B5DE7,SHA256=66E874A43A0C9B21C048D6345027D9E4887D3F4212CC5F39AD1AE94BD22E1D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454615Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:51.042{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A488A08ADABACD5A08E4572947FE5E7A,SHA256=7EFE8916661F06A0E3494B10B826BE3318D36976638B88AC6BE829B67ABA7AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454617Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:52.072{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F317360D2E1F7643768B79577E0E3ACB,SHA256=0A9A91C0CF8F6440617089708A7792466335F19A272E9F86618ED1CCD1B0A395,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454616Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:49.690{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60992-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399385Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:53.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DB26F077A70120EBD3AC9321103646,SHA256=F21DC4CAFDD8ED4D73CAC9205AA4414111A8941C5143A440D546F2380138AA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454621Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:53.454{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B76DFA309F99D0D4B49DB48C796F7F3,SHA256=F86E41E23507AB6AF3182A4D2988686BE1CB2DCC5CBE48A6BDD8EF900119C5F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454620Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:53.454{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C100A9C62E39323946078BB7D786022,SHA256=8E56CF513751E63B3DB6B250E0ABE75A5061447837F46595177E4E2B17628908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454619Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:53.102{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476F3F9A62D9EDF0BB63B7484CA9B9E7,SHA256=7D007BA3301DCD02B713ABCAED9C40A9809B6C95B13CF7D81E7B61BEC9BB5F9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454618Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:50.781{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-10423-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 354300x8000000000000000399387Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:53.237{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53988-false10.0.1.12-8000- 23542300x8000000000000000399386Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:54.186{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FA7B8F83E18DF3F8C519B5D36869B8,SHA256=0D0160757B5040482ABCBA1D103337BE3C38FC98578578515F4CFE7D6EBF3AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454622Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:54.138{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463C5A7ABF81CBB723040C1A9F61FAD4,SHA256=66D8F6D497B8E0923FBBD0F31FB60ECC8397E1DF0C438280C3EC16AD89E97E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399388Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:55.295{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1933DB1BB50403299D0B113BA225FA,SHA256=2844DCC18944B0C3CFAD03EAB77C4F46189F15FE2A152AECA2AD5C1B4160963F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454623Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:55.152{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE901D7018E94FB7629224FB1A236AE6,SHA256=7AA38BFD51AA200E386C4F9F1A97D2D51B112A7959C5F7BE52FFBE7D9C953458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399389Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:56.358{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77141F1A7BEC7FD017626BF99C424D5,SHA256=3940088D7C057CA885426F6448AE1175860F39136F71416139108F7D08665FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454624Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:56.167{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF9CC3625B935088B632A643C3D80F4,SHA256=01F302DFE2DB9167CD9FD4669651FB490226BAF0820E98A1A5F1B524F93376DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399390Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:57.451{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D5BB0DE8ED7ED5D8F8E51858EE5640,SHA256=35A9948437E34FA8C228C71DA15FC6DDDE3193038C89E01FAD113A30ECA97C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454625Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:57.197{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2DF4F61CB11F9FEEDB57EED10EE4CF,SHA256=C08E594DF7EB03B59428CA5E542FC248B2061132B2A72BF31D335828912F9DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399391Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:58.467{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DA721957CE9CBEE158593EF2B88798,SHA256=BA88114B34D1DCE433B6D90DC6EB7DDAF7EC147EF834399672EAA1FC5AE61661,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454635Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.983{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A82-60E3-460B-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454634Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.983{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454633Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.983{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454632Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.982{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454631Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.982{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454630Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.982{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0A82-60E3-460B-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454629Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.982{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A82-60E3-460B-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454628Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.980{D694AEB8-0A82-60E3-460B-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454627Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:58.214{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4055B87836575A00A54D26D824BAAE3,SHA256=684B8C1814321971E8CEADB33EE474EEEF6A02977608A7F148BA62715C5DFAE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454626Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:55.698{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399392Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:59.483{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A471A56983AA8874380366714BAB553,SHA256=5AAE93A842C1C4DCD2ADE23F4E200474D0E8C1CC463CD6ABEE86208B420EEDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454647Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.994{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE81C50C3FF12F9433B1496E9A36090D,SHA256=66381D1C6EC88D89C426134555C74A6873631BAE9E35165FBCD22C3D8013BD2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454646Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.994{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B76DFA309F99D0D4B49DB48C796F7F3,SHA256=F86E41E23507AB6AF3182A4D2988686BE1CB2DCC5CBE48A6BDD8EF900119C5F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454645Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A83-60E3-470B-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454644Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454643Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454642Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454641Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454640Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0A83-60E3-470B-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454639Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A83-60E3-470B-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454638Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.664{D694AEB8-0A83-60E3-470B-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454637Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.217{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B332A0A47B34EF96478470A7C4C37D4,SHA256=48A39E9900A256700E29FB9B81658646381DB811D28F728FCF8CE777A6AFA9E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454636Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:34:59.133{D694AEB8-0A82-60E3-460B-00000000D301}53645560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399393Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:00.483{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51A20A0B4344D84F0C7229F0DA42407,SHA256=27EDFE16346FFB9AD8863C642EACBDFE105C232177D1CD3C6BD1F0CC16078767,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454656Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A84-60E3-480B-00000000D301}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454655Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454654Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454653Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454652Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454651Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A84-60E3-480B-00000000D301}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454650Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A84-60E3-480B-00000000D301}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454649Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.332{D694AEB8-0A84-60E3-480B-00000000D301}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454648Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:00.232{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5594F9D068ABC1F1E0C468BE11F2E1,SHA256=16B251BF133E8A4B16A9B005133814ACB078BFD6BEAE2BF45227434C49614051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399395Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:01.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969218DF95B1B77CEC80A1DD163C2D26,SHA256=333E22059414746C06DC8B398D750EF33CF3F2E754BA632ABE6AE8FAAFAE3AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454658Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:01.362{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE81C50C3FF12F9433B1496E9A36090D,SHA256=66381D1C6EC88D89C426134555C74A6873631BAE9E35165FBCD22C3D8013BD2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454657Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:01.246{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87D1747384EC9E28FC91543F48A0131,SHA256=17E34293981769013B46DF7F68665122E4F94668F2F03591D09A6573200457CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399394Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:34:59.268{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53989-false10.0.1.12-8000- 23542300x8000000000000000399396Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:02.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4C59C73B9D573B80896D3E346FD81D,SHA256=F57C056D1FB78B8871DAEA033AFA047D3A418D34360B90C27D6E3B25D5AD9356,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454667Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A86-60E3-490B-00000000D301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454666Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454665Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454664Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454663Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454662Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A86-60E3-490B-00000000D301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454661Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.945{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A86-60E3-490B-00000000D301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454660Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.946{D694AEB8-0A86-60E3-490B-00000000D301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454659Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:02.261{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36C2049A2A3BCA546EE96E48DDC85F9,SHA256=D747C04E1A0DBEED9FC744207F8D219A5275BD10449AFF4E3DE9FC378659FE90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399397Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:03.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFB43FEAC7BEC623C733C88C80C3086,SHA256=A296131CBB61599E57D0FD2160BAE01FEA0D0A5F5D2B7F2BCB2B792F9047CD75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454680Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.960{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47B2741918F0CE57DABB79BD3BCCA14C,SHA256=7331CF813709F3A626A46F72BE5251373F9FACEC364E287D40C902FC8BABB4D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454679Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.745{D694AEB8-0A87-60E3-4A0B-00000000D301}27563580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454678Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.611{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A87-60E3-4A0B-00000000D301}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454677Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.610{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454676Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.610{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454675Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.609{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454674Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.609{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454673Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.609{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0A87-60E3-4A0B-00000000D301}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454672Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.609{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A87-60E3-4A0B-00000000D301}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454671Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.608{D694AEB8-0A87-60E3-4A0B-00000000D301}2756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001454670Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:01.455{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60994-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454669Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.276{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86860B1C23BF565A8CA30377FFDC429B,SHA256=AFD2B5833B905E45DA6FF9C5DAED432F934DCB8245C77D361450F5E54E7D7BC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454668Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.092{D694AEB8-0A86-60E3-490B-00000000D301}6036600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399398Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:04.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E84249889A66D1682F830B2860A9108,SHA256=FB493F922341F01FA22B6206D6A77E74F31DE0E40F85964445712E7283127B75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454698Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A88-60E3-4C0B-00000000D301}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454697Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454696Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454695Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454694Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454693Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A88-60E3-4C0B-00000000D301}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454692Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.959{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A88-60E3-4C0B-00000000D301}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454691Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.960{D694AEB8-0A88-60E3-4C0B-00000000D301}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001454690Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.428{D694AEB8-0A88-60E3-4B0B-00000000D301}71566368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001454689Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8616E2EA9F95572516995E2E0788DED0,SHA256=0C95BDF9450C32B8288ECFDE60A50E8F94BF64D5A27FA938ACA92FCF7232567E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454688Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0A88-60E3-4B0B-00000000D301}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454687Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454686Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454685Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454684Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454683Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0A88-60E3-4B0B-00000000D301}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454682Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0A88-60E3-4B0B-00000000D301}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454681Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:04.291{D694AEB8-0A88-60E3-4B0B-00000000D301}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399399Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:05.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911D5C136B1F24764189FA928B2D7DF1,SHA256=A4E061503E071B257EFAE93251F4536BC6DA1056E34C609CAC4400A862A26ADE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454702Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.392{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60995-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001454701Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:03.391{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60995-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001454700Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:05.311{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540D2591A90FD0C72DF5DB61A919F6F6,SHA256=BB33F7EB7FFAD2F515F0F7268D90FBD1A6260E9F66E984E3C7704FA3127348D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454699Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:05.309{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3447CAC1AA12AA1BE7BDF59ADB03D803,SHA256=F4E5E2F244296E42DE61020B22313F8F7C7D608B39FC5148A6A74B89D3786D65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399401Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:05.237{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53990-false10.0.1.12-8000- 23542300x8000000000000000399400Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:06.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F51C0221CB11BCADFC5494311FA7DD6,SHA256=ABC9C2BC6033688CE67FD473C1BB3DE5A4468241D32D8670ED1759C3A60D38EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454703Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:06.358{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BA95F6484C4C218B6BCAEB2CC5A331,SHA256=21C0B5915637CAB6177E9863F33FF70BAF012D2A29A430C565F52CB7498056F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454704Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:07.373{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9319E9A6939D11FB741BB1F44EFEF077,SHA256=492BC53668B1B3C2AD7364098F38328FDA58E0A0814A350A885E784ACFAB050E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399402Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:07.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6FC523558714C0E72CFABE4EB61F39,SHA256=1514D91E8E52815189C35869A149973344DC54AA5997253FBC7EEB7B97E86EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454706Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:08.388{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAA14EEFCB5600215BD1EC5EEF685B3,SHA256=10B33263256B529BA7029B317C48006402C41BFB3D00C3E86881E912240ED5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399403Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:08.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7B0E2432262B9EF1F9C66B00D02B54,SHA256=8A8CD224FD0B89068410906FB5B739AFF0187B3DCD26F895195FA70489B3D9B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454705Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:06.689{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60996-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399404Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:09.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7CE986FF9782715641F7F9D249DE11,SHA256=3636570BDA658BF3A002ECC5455CF95F0A742B9BB1A5619A82A7AD230DE4F68E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454707Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:09.404{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF367FD2EF6ABBFD9423381E8ABD220,SHA256=18CEAEE74D2E5E0B09CE78327CA87D643DD85C80F36876504F5A5DD36214870B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399405Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:10.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56965C6393F8E8F7A2204DF3B58ED0F2,SHA256=608B3E2D87E251C8CA8C6F497F9024883E1421831CD57ECDC013A69A35F6040D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454708Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:10.422{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295F5646BB58BDB6FBC1406F7488F60E,SHA256=E61E9C9F2EDF05892D420E23DBB4843DC5F5C2868D75AC1ECDD645DD2020B56E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454709Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:11.452{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0E07DE2C22B33D8A274A0C5D600D89,SHA256=79BEA107A4926BF1226767CA2193F3EB425DE0E6515C99796E9B6EC9472EB0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399406Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:11.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860C3066AB3617398CD42084A6D9009C,SHA256=D54B70B42A3859DAB8D1BAAA6A1B9FE4C972EB015CE6EF635440C05ED9D086B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454710Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:12.466{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F701AE51A1A617DDA97310250A9E00C,SHA256=03868EC69DF5F35D09EFD796C36B8B3D2ECD38351E1212AE29DAADFD0531B108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399407Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:12.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFB560FC6BDF598E85AB2F8335E011F,SHA256=0099A2A5653FFDA4BFCC5F9BCD4E226DDBC72F16A0B688950FD8DA868A334578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454711Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:13.499{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B375825CB5BCDC4380326D5A05A2D22,SHA256=C6E53708ACF15298A3603A1E053F1FEEC569FC84ED20E9C901726D44FA3E77B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399408Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:13.530{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA5B73E8A7878F22051778088D9BB65,SHA256=6182DD09ADB9FE26D205F4C7997848CEE1241A12E5687A21E7C3B553B3D47839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399410Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:14.530{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854E88B612B33936C7EE8BC7322456CC,SHA256=A2E58DFD73C96056A462D92D657D0B4FEC17DE8D03595B425B573538757F3580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454712Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:14.518{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC1A4F8FBD14506FC42CF760A3F24E9,SHA256=70E01414305F4F49F9D88BDC7700686E5270781F51056D70586846540C26C66E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399409Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:11.284{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53991-false10.0.1.12-8000- 23542300x80000000000000001454714Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:15.548{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC2DDC17B2BA87D8E588BE5E5DFB54C,SHA256=00447D150D8917C670E04131FADACF58A85C521D076DB84BAE7CFC4D7DD447F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454713Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:12.447{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60997-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399411Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:15.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E100AC21CCCA8BD5AA2601D804B824,SHA256=412C97E4C0BE1DD7F4CDA3D1DCA0D362FED7F537ACE87CA2CF76D5585CA8036A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454715Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:16.562{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAC6D228552CDA31CADA13125F480AA,SHA256=408298EBB335D716CAC9F213F9E5D9B17400E6B11D02FA5F933CC62D357DD861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399412Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:16.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02C0E5DA6CACA4E2F9978E0B58F9C3F,SHA256=CBE9D3A00221BBE5A6EF1AE4FC1257BB130A45D91FEB77BF71B3F97EA2A0142A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454716Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:17.577{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F53C5D64EEDB59D619C97520F2A583,SHA256=8209028B34E645AE4063DA30394D4ED87A1B463659CE9C828198661C70152F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399413Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:17.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCAB5DFFA400766DDFBAA06E3B28C47,SHA256=6D4C4904DCF11BDDA2D704BA7BD7D7CE4BA7D202C5EAC8128FF6A09E7544A674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454717Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:18.594{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BE453DD8BD5C0C91268C137F96DBC3,SHA256=7A0A3E9B2773AFC31924495CB0667170F7828EFDA019154862D5F413F2420F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399415Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:18.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBAF6B47A42B5DC4DA0000F58BE15E83,SHA256=11B18E3EB147F2FBF7932715DC140D323FB54391AE8DF54E92B20BE1C63936D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399414Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:16.377{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53992-false10.0.1.12-8000- 23542300x8000000000000000399416Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:19.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F240AC337D1C0C0FE0E9849A0DF829,SHA256=DCF4CC82BD3295511CED9C33CDE77BED9F07C540F6729BC1089B710D8696F0B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454719Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:17.461{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60998-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454718Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:19.611{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79411D441712E0F7D87A574EC7088A28,SHA256=3DF2898B34CFC84C95FC031160B613A93103B873E2D6D764F0A47738328F87AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399417Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:20.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDF83E6BEAA5EDF30936DC1360EFE6C,SHA256=2A5C586391643BE7C2DF530A4A488C0E3C39FFA80F54B4FBF7F93EF9114576B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454720Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:20.626{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BC7DE68FC81DCC71785003F1841F1B,SHA256=53E31654A9C3C93AD21907DF168741E52EF5925582E0B493DB9A175E142CBA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399418Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:21.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D6C1A33C3F366E8D9918C790A1C5D2,SHA256=BA8A99E277FD5A3F79ED4D6930F87CA58FC3F050720DF9F3FE034C9A516AB2E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454721Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:21.641{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD03304E1CB89518A9A1E540EF577C4E,SHA256=F19C0D1C6E0EEDCBEC157BF2A5750983FDFE936715EC8621C2645E2F48FE1695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454722Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:22.642{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6B33E301178EBB9AD0BB8692D0542B,SHA256=A9004DA4EC76402A04602B1E3F526D22D381C969559CFE82F173935A8FD063EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399419Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:22.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945D6C00F333CF77AE6E8D0D93258BB6,SHA256=C0B7E8A73319DA5A73C4AB2E0CFBFAC9261C01E8B610B54AF7C549DC7F5C874C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454723Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:23.672{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE68510D473BF641CC9670EE3D5F453,SHA256=410CCF1ECE0BD3F6EEB93616738A026DC4E65E24BF0B743C43ABBD01D9AD9848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399421Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:23.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50F17B5D1B7B0E08412A1E5FDCFFA80,SHA256=A302EE58D7669C3677F34BFD1BD94DB7A7F9ED244FD0B58C2CD7CE6444ED5F4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399420Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:22.378{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53993-false10.0.1.12-8000- 23542300x8000000000000000399422Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:24.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003AA594D655EC37D2F370F5FF4A7E5A,SHA256=475236A86B7C447BCA4FBD0422A5E633C721CD4FCA4B55F1F9C75773A79B3017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454724Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:24.689{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A28B07F61877235AEC9D732F27DE65,SHA256=D772DC562892D469BA3A9B3C48C57EEEB7DB25B21D18B90259BBF7A87D19F5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399423Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:25.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA853773A7EAC7BE0CB03FDA67095A4,SHA256=733EE4C9F732C5D3A2C6E5C40713439675812ACE7B8C11F4543A545E9F0FD2A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454726Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:25.708{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1A467650FA92B5019D58EEC82B2002,SHA256=92B58F193F5D111C7F5FBB3771B77735765E893E243CC15D098EDFA93C63ACF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454725Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:23.487{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60999-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454727Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:26.723{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27693B434BB518318CAE56F17AC88FD8,SHA256=F8430A0910C67280E5D0ED97D8A6E0430DA8824AC1EA9947D7A7369DA626CA71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399425Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:26.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037F3C1BB46BD3A0C1D4D712661BCFBE,SHA256=690A98E81621F7621E6D18DF5725D4AD3F59E20A1AEA05ECBCE81CBE7B12EF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399424Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:26.373{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B85D8EF546B51EAE372E725CA4151723,SHA256=74E2438834CC8689D289DE96E83644C66E431B6FCE48BFF6785633BA2FD5492A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454728Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:27.738{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0E112A59B846EAE111F55625FAED7D,SHA256=292DFC12439A998ED0DBD4C9B31A2ECEF361F291AD32E044036D5FA4F2E7899A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000399436Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000399435Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0152dcd7) 13241300x8000000000000000399434Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719a-0x3bf8e06d) 13241300x8000000000000000399433Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a2-0x9dbd486d) 13241300x8000000000000000399432Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771aa-0xff81b06d) 13241300x8000000000000000399431Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000399430Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0152dcd7) 13241300x8000000000000000399429Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719a-0x3bf8e06d) 13241300x8000000000000000399428Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a2-0x9dbd486d) 13241300x8000000000000000399427Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:35:27.781{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771aa-0xff81b06d) 23542300x8000000000000000399426Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:27.547{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979CA027813078069FD1E9B98B9B7793,SHA256=C22B585A184E12B5C5741F1F89F38EB4A9B0DACC4C0D95D9AAB190CC1D271E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454729Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:28.768{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC48E7F58AA41EFF64D66F98171ECE9,SHA256=9031B8C6F2E6778415854F775CD997495C8F524B4C9AE9DABFEEC643D119B7D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399437Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:28.547{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78292B2DD4D5D2A7DFD17A78786EF90,SHA256=1FDEF32A4FDF5202EFE656B992CE09CFE563740ED47764F7322495E679BDDD3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399440Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:29.812{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=803C6260FAE2D5A04C687373C6555D1F,SHA256=1B570AF4BF30CA5CCBD4C9329AB7EBAD036A411F34B8C6FA211E367EA620DD65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399439Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:29.812{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A469120BA9AED0B794CD54F6CCCDFC87,SHA256=8ADC99FF45FB4002DBA01847BE1BFDC5CAEFC7DD3B24AE6E1C383A1633FA77CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399438Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:29.547{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6EC42E21573A234A6B37FE6DAAFC39,SHA256=F26CD3D73AA8D861EB706A692ACD605A97FE0EEC01DB8575A09DAF71BBAD80BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454731Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:29.768{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360E0F3141BE3884C500B3FB32A6FDE7,SHA256=BB57AD0F6C5B64DD7A228FEBACA7E3E2D900ED98019207027E4B8C47CFDBEA45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454730Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:29.637{D694AEB8-B3E8-60E2-0B00-00000000D301}6562652C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001454738Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:30.805{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96196874C77A93F966D31C901E5CA58F,SHA256=FBB5965E17C8AA9B7768CC173107CFF64ABA92F927F2E82B04B23C570452E2E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454737Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:29.085{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61001-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001454736Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:29.085{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61001-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001454735Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:28.698{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61000-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000399443Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:28.773{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-65432-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000399442Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:28.363{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53994-false10.0.1.12-8000- 23542300x8000000000000000399441Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:30.547{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841975C8D9DDD0C04891FFA6D81FC192,SHA256=06063CE9A2C125F38FABDEA92BFCED73B4F520EF7EB25E5BCBD49661DD5A64E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454734Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:30.652{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454733Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:30.652{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=564DE44A5C1EA167F227AB60281F1960,SHA256=D3D4FD64C162F01A35DE76CCF807EA261D4450AD26FCD9796661CE3BFCA714CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454732Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:30.652{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF7DB64D7451FDD6E68AF7CCC577E797,SHA256=695634878896C1C3333BCEDDB0CA8747DD16BC771AB13A6289653A10ECF2FB9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454741Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:31.835{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA10A9B56962062676C48AE876D92441,SHA256=AD2697D6E73539860FCABE81D1543DDA017ADB1E552FDCE2CFD221F8A774E964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399445Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:31.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77ED91EF6C5B7154059B5D4E7E741CC6,SHA256=2E83D72594ADF5519DFD24503C3DEDF0D746755AB9389CDA6F411D06B1556C49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454740Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:31.467{D694AEB8-B3EA-60E2-1600-00000000D301}12964484C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454739Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:31.467{D694AEB8-B3EA-60E2-1600-00000000D301}12964484C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399444Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:31.328{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454743Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:30.084{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61002-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001454742Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:32.835{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A133DE8EF277414936A5F06D0A4DC88F,SHA256=ACAC610A98F1ABB1409A8D0EE20F43C520CF9B2FF0CB2FF8075FD97461CA7139,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399447Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:31.520{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53995-false10.0.1.12-8089- 23542300x8000000000000000399446Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:32.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685A33BE89961916310B6B074BBEB091,SHA256=8FB371C5C919A7C48925BCD3AD84985F88777C5D08BFD49EFD780F519F702981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454744Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:33.850{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4093A6472EA82904848D210D30FF73A4,SHA256=AE776E32EB83FB5E9163AE6886B9AE62A96E3384EC32E2D9226494AF0DAAC003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399448Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:33.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0625BD7A4AF5BD570F93A69795B18D74,SHA256=DCE22E7B97E9F0306C6B95E14FDD63CCF3F913CFAF855CC1E10B9E551F1253B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454746Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:34.882{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBD8CD3DA6DEF7B6AD15D2560DEA251,SHA256=6EE8ABFB3FBCA36E3388DC41063C6D310F85AEF6918B9BAFC672D005D682C7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399462Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B809109AAA2E106DAF24973E92B8593,SHA256=BD089D4A29C3102D56F9AA2AB4F9DD8DC9CE35B4B802121A13D42A13FA62E2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454745Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:34.003{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=41D7F7227272685E56A46165E4A835C2,SHA256=F66EE7AB3A1F328A7B1B1BCC003D1EEAEB9B83EC68ACA00F56729A28EF7F2A6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399461Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AA6-60E3-B50A-00000000D401}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399460Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399459Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399458Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399457Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399456Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399455Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399454Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399453Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399452Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399451Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0AA6-60E3-B50A-00000000D401}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399450Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.656{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AA6-60E3-B50A-00000000D401}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399449Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.657{7F1C7D0B-0AA6-60E3-B50A-00000000D401}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399491Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8DCFA6657AD72C39EB53B6D58AF03D2,SHA256=2068AD0CB8C2E8FF7264930E9B15AEE72861A66165F67A5351EAC19D3C5E8EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399490Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=803C6260FAE2D5A04C687373C6555D1F,SHA256=1B570AF4BF30CA5CCBD4C9329AB7EBAD036A411F34B8C6FA211E367EA620DD65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454747Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:35.900{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0162870643079FCCEB4E5DC9106EE296,SHA256=934B7D999C93EFB0ED1071812CA7240A80DFBAB272CEAE627E72ACAB7CC3F74D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399489Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AA7-60E3-B70A-00000000D401}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399488Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399487Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399486Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399485Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399484Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399483Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399482Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399481Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399480Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399479Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0AA7-60E3-B70A-00000000D401}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399478Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.826{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AA7-60E3-B70A-00000000D401}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399477Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.827{7F1C7D0B-0AA7-60E3-B70A-00000000D401}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399476Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.343{7F1C7D0B-0AA7-60E3-B60A-00000000D401}3084292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399475Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AA7-60E3-B60A-00000000D401}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399474Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399473Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399472Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399471Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399470Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399469Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399468Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399467Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399466Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399465Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0AA7-60E3-B60A-00000000D401}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399464Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.156{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AA7-60E3-B60A-00000000D401}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399463Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:35.157{7F1C7D0B-0AA7-60E3-B60A-00000000D401}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454748Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:36.946{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B621C6F20D6A9E04B01992BF5B750D7,SHA256=4E8FCECEEC606F2640254A6B0E09BB6E7FAD31678B556C0F3A3B808BDCE66333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399492Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:36.326{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7C45D5BA5B1A6A3A170DEBBF8FBF47,SHA256=947759667391AFD6342248B5AF4B14FA7A25C411B54276850D0751C5FC241226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454750Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:37.979{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C88C061DAEB46E418E024DA8E93E8C,SHA256=B6AE4A158FCF9F4CC1072411D470874EDFB19F65782EBE9B22995BC377A9D187,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454749Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:34.679{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61003-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000399494Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:34.317{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53996-false10.0.1.12-8000- 23542300x8000000000000000399493Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:37.062{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A6642E352DF759EAFD293DB35FB2F6,SHA256=03540826196EEDC77691079AC3644B2221DC1ED23567C5F4F546FE363609D7D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399495Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:38.062{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE343F12104F7FDC47847F5185FB5E7,SHA256=929E859939D378AE47F76DD98E356FDEC56E933334A4DD78DBCFBEFC7A5F11C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399524Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.828{7F1C7D0B-0AAB-60E3-B90A-00000000D401}33403824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399523Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AAB-60E3-B90A-00000000D401}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399522Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399521Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399520Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399519Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399518Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399517Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399516Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399515Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399514Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399513Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0AAB-60E3-B90A-00000000D401}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399512Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.625{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AAB-60E3-B90A-00000000D401}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399511Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.626{7F1C7D0B-0AAB-60E3-B90A-00000000D401}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399510Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.359{7F1C7D0B-0AAB-60E3-B80A-00000000D401}32242876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399509Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AAB-60E3-B80A-00000000D401}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399508Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399507Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399506Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399505Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399504Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399503Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399502Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399501Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399500Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399499Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0AAB-60E3-B80A-00000000D401}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399498Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AAB-60E3-B80A-00000000D401}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399497Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.125{7F1C7D0B-0AAB-60E3-B80A-00000000D401}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399496Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:39.062{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777CACCC84546FB7554F405177123529,SHA256=3261DB516DEF1994256A596998BA9255469B33616E03ADA24CD7EB08D21AE4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454751Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:39.013{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043C28660691BA7376303B67C837318B,SHA256=68842E8F99ECBDD05D26AA4F5B36AF6100FAEAD9D5A6064EFC254202E2660FBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399553Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AAC-60E3-BB0A-00000000D401}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399552Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399551Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399550Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399549Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399548Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399547Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399546Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399545Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399544Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399543Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0AAC-60E3-BB0A-00000000D401}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399542Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.625{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AAC-60E3-BB0A-00000000D401}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399541Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.626{7F1C7D0B-0AAC-60E3-BB0A-00000000D401}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399540Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.359{7F1C7D0B-0AAC-60E3-BA0A-00000000D401}10082484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399539Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B5FC30125619AD0F6E71B3E0D925E3,SHA256=293FC24678DB519AD01302F900B73E12A09D90447A4BE2AB984E0FED501863AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399538Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8DCFA6657AD72C39EB53B6D58AF03D2,SHA256=2068AD0CB8C2E8FF7264930E9B15AEE72861A66165F67A5351EAC19D3C5E8EC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399537Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AAC-60E3-BA0A-00000000D401}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399536Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399535Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399534Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399533Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399532Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399531Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399530Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399529Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399528Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399527Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0AAC-60E3-BA0A-00000000D401}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399526Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.125{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AAC-60E3-BA0A-00000000D401}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399525Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.126{7F1C7D0B-0AAC-60E3-BA0A-00000000D401}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454752Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:40.028{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A948F5665FE348991E99A96D5A0E01,SHA256=4DC66A51F599BB4BB9DCB5A9731514198155AE777EF8E43F83A632A5ECDBD595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399556Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:41.718{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=099B8957F9C9CBB86EAF121C7B290132,SHA256=E9F20E760A2989663E59519A3F23B53227D2F542491F49FF32384894918C600B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399555Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:41.500{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D7C5B3FE619DD87EABBB44843A0BDA,SHA256=9EB77494DC4E19DDDA6F377FCD913B2156C583AEAA903D1D72F72D8670D32148,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399554Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:40.301{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53997-false10.0.1.12-8000- 23542300x80000000000000001454755Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:41.411{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A0ED68B14D32A4D041F0B1656FF2B16,SHA256=7F4C216ABF3A1115582CF64280660843E5D8A58F8B7384F514C19F629B2F0250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454754Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:41.411{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=564DE44A5C1EA167F227AB60281F1960,SHA256=D3D4FD64C162F01A35DE76CCF807EA261D4450AD26FCD9796661CE3BFCA714CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454753Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:41.058{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2F9BE008723F338172EA61A35F6299,SHA256=4EAA7D69708D25E595C4716AA1F8E0ABC62EC0DF29ADF4CFD6A7F80F9549DDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399557Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:42.562{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C056881FB7E98831DBA512BE83932A,SHA256=9BDD961BD18FACCC71C27BDC1B1068AA80CA5D6A1F2A44C8D6FED7C03C6E8B13,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454757Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:40.673{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61004-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454756Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:42.079{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36AC7ED44A7D8F79FC76B1BE0DB7796D,SHA256=DD73136B0E3FFCBB4DC885146F8E6E4578BE0E834F70E49E4123B380C0403100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399558Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:43.593{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59304D786CBDF6B13CA7DF989E00E2F,SHA256=94BBB1817BA2111425A5DCBABBE95B53E71FDD93525F8111D381AD80893CD60A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454758Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:43.093{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EB5F78B51A71D2C73B184C3D72D6C1,SHA256=191DB61035B0430C9C216473B002BFCC625CBE2DFCE77FD787619E9CB5C71B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399559Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:44.781{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C7599F171CA7443697FBE1CB1B55D2,SHA256=07A8AB72EF9FEC55FCBDCED9C55667A47BC653338D0EB11670BF59454A075877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454759Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:44.123{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D01164AE59B3F2C105977C6B8C117F2,SHA256=73A681CB7FAA4D5362D5F91C186E381EE7F28CB53296342B9E7AFA35C14A9E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399560Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:45.828{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58919F8C71903019B5CCBEA4BCE39A4,SHA256=C1BFDA10F95B7CDBB994C8D32C7D0CBEE27FCA93D2718714B32396D1DD1286ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454760Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:45.138{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536AE207FE1767E3F9CAABEDCECBBB22,SHA256=8964E44807CC2D4009FCB845BBD7514E557FBCF30DB297E986DB69B1709B47E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399562Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:46.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C372487A1D7E165B3AD9A72B69DB0CD,SHA256=C8F141A23EB272B052B15B6F2A046FDDE569A4D5E719E5BAAC668175C1C3AC2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454761Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:46.152{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB969CCCD009BB29066A06DF0CDE691,SHA256=F2946A4C8E7447FFEE8C43C4D695E8D2F1F9743C0595BD4CD29A2A7D24982CCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399561Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:45.317{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53998-false10.0.1.12-8000- 23542300x8000000000000000399563Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:47.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FE9FB83DC4F6D30D2E52A024488FDB,SHA256=D10E2B90F3B5AAFA1EACBAC799C75DCA1E8132C818B3E50ADD3662CF8200323F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454762Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:47.169{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3453390B83F15DAA79DCF1AEBDF3F5,SHA256=ACA02FF308EB70BF848C809F10C5C4E4684160E8B696B66766C06000706746F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399564Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:48.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3A048C9249DAAE6E973D227334EEC0,SHA256=FD582894D9AE93783C7415EC29AE2FFF93606C53BAC4AC2F1FFADAE6D9812F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454763Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:48.188{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CFEB63FA2CFB477FD723CBE299F8C5,SHA256=2223A89300AFC12C03222E9AE431BE2AE728268C6B7025CF4899AE9F582708A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399565Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:49.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EAC155C0776C115F10F7A17EFE862F,SHA256=5D1395A38A3D428EBEF73332744D8D988ADA3D231CE95F3F5921331FFCC77CFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454765Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:46.636{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61005-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454764Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:49.203{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C044BD2F78BB160CA139F957AFCA1244,SHA256=300F00495E88ED61D47AC5E11894D6D2DC7BC7588439D42409F000B9D5DDE4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399566Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:50.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5319DA847E2D501A8234A180A5328B0,SHA256=F49AF629E3A414C277A9F67367E57D6A36B5E72D1A24AA9219154A4808F5038F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454766Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:50.218{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0C8C9AA260641830AA61E8446205D5,SHA256=3ADFB6E1B4C43A1F3C8E77AB08A4F1ABA084EC1B1575FA1671D7FF39BC5F97E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399567Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:51.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE86D804172A0649C9AB68ADC026045,SHA256=10D2AF2FDF221BF5478B55E330F6F66FB76CD284521461F53D75AAD2E6E3768E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454767Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:51.232{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F710E9547EEF188F840730194CC9BA,SHA256=7E5115D4F6D7140E3771E37813BB735FFF6BC2C366C11672D0A929FB3583D083,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399569Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:51.285{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53999-false10.0.1.12-8000- 23542300x8000000000000000399568Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:52.844{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD599F06628A128668D579A472296400,SHA256=4CCC687DF2F21B545F0C993C44A658CD1EB9ED7ED23391FB3B9E6BF89560F297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454768Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:52.233{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367DD7A1499686828C36F61226E31665,SHA256=14416C8E24EACBD376E53A4BE4190BC3D07693C5B660B75455B06B9BE7CF7E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399570Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:53.906{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAC6144753336FE1F3A2A0C17F03936,SHA256=E38DF35B90E7F1BA5FDBEFDCB409E75068640012ECEEFEAA8CC4927B6D0EF560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454769Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:53.247{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F4F4B6E952724764DDEB1B86D647DC,SHA256=BAA94636CA604D0A63212D23B228AB4035469184F0929C0DC8CA72A63B5ABC15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454770Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:54.264{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23C8082AC6D661C9E1DB5FDB9F4DEAC,SHA256=E792070B5E69A1C07EC490F5DC4D15179EB4C490A50F5A73A1C06318F1D96C83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454772Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:52.663{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61006-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454771Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:55.282{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3684B8090366CC465826E8672BCFE12B,SHA256=F6F2A38720B0C76B3F17FEEF426D048A67CF9D562F1CA0AF318123C56492BACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399571Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:55.140{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D72EE8F233371CAAF36218D8F0D9E78,SHA256=362401E4BA62DC845011A4DE9EFA9A36F66148EDBE27C3B54C82FF86D434A8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399572Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:56.203{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D19494FF2B45DCE90A04D3CECDB22A5,SHA256=A1BF7FF8490F98D9D9637307567A3537B48BD1DAB9CB21F575930E9AC063F4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454773Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:56.297{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A2084880DABA0FC0ABA434CDAD7981,SHA256=0EF0E2A3F848A49FA2C67B80FB13DD868064E772A19E816A5945B8FC11FBED03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399573Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:57.265{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFC2B4BCD572288F31DF9880B6A789A,SHA256=80BEB9ECB0B5F6663E8BF25D6AD1FC9BABA8DDBF3BCAC59BFBB321FE0B854F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454774Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:57.311{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015B902EE91F3A3E0A15F9E68883683E,SHA256=E8E0CAD2DC656FAE06FCF05419D429B3FCF45E8E3449A27DA27BB169C99C7AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399574Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:58.375{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955F9D53BE6B4141958BC0D5C9F56D82,SHA256=1F7CE78D4352294065CB2DB357D6A3A0BBF2C4BC3B97DD1106327BD763EA944D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454782Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454781Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454780Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454779Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454778Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0ABE-60E3-4D0B-00000000D301}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454777Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0ABE-60E3-4D0B-00000000D301}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454776Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.995{D694AEB8-0ABE-60E3-4D0B-00000000D301}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454775Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.326{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB2DB00B07D97FF2FCB4AA40593ACFC,SHA256=DA70E2500EE90FCB1DBDE25C90CBC9814B954589D0BDB1AB1873B1B586878A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399576Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:59.375{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0DC5CA4F9F92840649F83FD57A3D19,SHA256=42F8E242275418D7CE9A768D742D0F7BD05A35668443EA3F9A8A05371FACEF46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454792Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0ABF-60E3-4E0B-00000000D301}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454791Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454790Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454789Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454788Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454787Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0ABF-60E3-4E0B-00000000D301}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454786Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.579{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0ABF-60E3-4E0B-00000000D301}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454785Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.580{D694AEB8-0ABF-60E3-4E0B-00000000D301}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454784Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:59.361{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC6C04BB1534024F84BD511523A6D89,SHA256=73274A17337BA2779CBCDB5DD86F7FD22FD72483ED2C621EB2533111152B0B15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399575Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:35:57.254{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54000-false10.0.1.12-8000- 10341000x80000000000000001454783Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.996{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0ABE-60E3-4D0B-00000000D301}5392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399577Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:00.468{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490F1073DC901801713778F9CFFB1B5C,SHA256=56813AFD719C63969EBBA6C9DF23E84F067886D8A717FA1523309A225C35F3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454805Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.394{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2178E6EC54D42EDE1A601EDB827D3FF4,SHA256=A3C57B006968D3AFBD3D6A87F9BE41B8B206EFAF52B4A093D4167384588FCABE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454804Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.325{D694AEB8-0AC0-60E3-4F0B-00000000D301}47082848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001454803Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:35:58.672{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61007-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001454802Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AC0-60E3-4F0B-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454801Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454800Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454799Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454798Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454797Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0AC0-60E3-4F0B-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454796Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.179{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AC0-60E3-4F0B-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454795Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.180{D694AEB8-0AC0-60E3-4F0B-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454794Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.029{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BBB28CEB88602FE82283917EDD95E45,SHA256=543349C6C1060A39479943E042714A51222182D6E153EC30BEFCEA04F65C1EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454793Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:00.029{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A0ED68B14D32A4D041F0B1656FF2B16,SHA256=7F4C216ABF3A1115582CF64280660843E5D8A58F8B7384F514C19F629B2F0250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399578Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:01.609{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1B2006BFE03BF8AEE8954349F02E5E,SHA256=02C34DD7F3651B4D4EE8A64C7C092C5536E28C8DCA519F2278EC61DAE9EFAE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454807Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:01.408{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EBC1095210C771640CDB430F6F6179B,SHA256=9B58CB7C0116FAAEF5F3BEA12EF788B8FB3F45FD93D378EC48D91E0DBAE0A84F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454806Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:01.193{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BBB28CEB88602FE82283917EDD95E45,SHA256=543349C6C1060A39479943E042714A51222182D6E153EC30BEFCEA04F65C1EA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454817Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.958{D694AEB8-0AC2-60E3-500B-00000000D301}54845284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454816Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AC2-60E3-500B-00000000D301}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454815Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454814Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454813Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454812Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454811Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0AC2-60E3-500B-00000000D301}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454810Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.806{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AC2-60E3-500B-00000000D301}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454809Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.807{D694AEB8-0AC2-60E3-500B-00000000D301}5484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454808Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:02.438{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66DF062DA74746058B024BD2D2E61E36,SHA256=1641D0F60E1108688DDC60EF838EBACFF94BEE7CF0EEDF8E33C68AD0DB1DBE3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399579Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:02.625{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF90EF11143F87A65B009221BF5FCAE,SHA256=23CC955889EB18D60A6DE813A36CEEC3EAEFF06F8B8835F9EB8C7183ECC5B596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399580Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:03.625{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60205998FA05A18A72BC57E9911F1D12,SHA256=840650DC30BA15FFB28C6C0514F241F6E297060D0F0B42BA361E4007B71652B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454828Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.856{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55073A09D514883699B42188895A8AF6,SHA256=37ADDD65B188D786612E0D56E189156710B42A44EF72EF264E9D4FD13FF06BFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454827Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.621{D694AEB8-0AC3-60E3-510B-00000000D301}62566380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454826Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AC3-60E3-510B-00000000D301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454825Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454824Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454823Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454822Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454821Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0AC3-60E3-510B-00000000D301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454820Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.474{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AC3-60E3-510B-00000000D301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454819Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.475{D694AEB8-0AC3-60E3-510B-00000000D301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454818Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.458{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D868FFD763925AD9CD07045359D5AFB4,SHA256=A3767BF1D6F50D377FF578A7542594E563312E11DA0A6B0E9E735CECF8C79140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399582Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:04.625{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E79E8E0983FE0EA64A4CA367DE88F28,SHA256=D3D029D4F71F04B818D1A4BEF83273F4C75EC969E7A767D96EA91692CE1D8F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454847Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.988{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CB712294A17C2ABD11D5B9B97ADFCE0,SHA256=CBA9370F7B7A72109006F7FF112F952EF6301EE5D131E7224878078B801F90BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454846Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.972{D694AEB8-0AC4-60E3-530B-00000000D301}5448108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454845Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AC4-60E3-530B-00000000D301}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454844Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454843Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454842Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454841Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454840Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0AC4-60E3-530B-00000000D301}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454839Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.820{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AC4-60E3-530B-00000000D301}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454838Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.821{D694AEB8-0AC4-60E3-530B-00000000D301}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454837Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.489{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FCBA1E382706D61A0AC2BE26E9B2DF4,SHA256=8324E78510A90A761CD397C1A0B1C6EB773734F8C2AA43BDAD41ADC2F2BB9904,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399581Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:02.442{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54001-false10.0.1.12-8000- 10341000x80000000000000001454836Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AC4-60E3-520B-00000000D301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454835Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454834Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454833Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454832Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454831Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0AC4-60E3-520B-00000000D301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454830Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.136{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AC4-60E3-520B-00000000D301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454829Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.137{D694AEB8-0AC4-60E3-520B-00000000D301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399583Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:05.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE37A4355CCE210FBE202A4812CA1E8C,SHA256=C3A38F6F14F4172C9B8BB851691F9889CACF589E3D5FA8629C3AC03DACB58575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454850Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:05.503{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212531DF7E751172E430ED8CA761F601,SHA256=A57F6BD4D874DF9EC1D37019BE8B4787DFAEF353E90062CBB5C0D7EDE39CCB98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454849Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.399{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61008-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001454848Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:03.399{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61008-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001454852Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:04.666{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61009-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454851Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:06.518{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307E5A2E5759D5F2E4525FEB12090634,SHA256=ED73774AE1AE414F6C5B2436141C2BA746D5534438C78ECDF8C3FFD4EAE9FB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399584Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:06.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD990657E6A04E2975F4A9867081C2A,SHA256=9E58BC6DB410935E2D78CCECC9745BD926ED31A6DD12B28E7EB3520D9C8E6A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399585Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:07.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228476AB7C59F3E0A4DC199208EFF11D,SHA256=E13D054CECA4142CFA2D449DD36151F577C843C0A0EF3B0EAD1D4331873A582D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454853Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:07.554{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9DDAFE020D9C3E1C9FDA8FBFD96E45,SHA256=EC34205F8F9446BF07FB1D665B7DF3603FAFC69BAF662B1644AB93AEC39B356C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399586Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:08.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25487BB50FD27765789FCB5B671F195,SHA256=B5C9BF830171EC8ED7181BA4433A7E1685F6838B4A4D723F3C05A2FC66CE77CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454854Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:08.569{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5733E17831B497C6E2D649E7CA6177A,SHA256=2CE3CD4BC1EF3B661B27EBF39BC6582A48BBBDB73F5AFA49FEBA2F7BBABB79A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454855Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:09.583{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C4C2B3504F5247D99F0C76213407EB,SHA256=14A1CE8B23F1417C47067B808F9D8CF44C05B53D4310AD2B09D3D01318D947C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399588Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:09.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC8321AC6D78B5646FA2B5838D7C4EA,SHA256=5EBB98285BAD0C1B1BF8A33210854A5368A6732A23EFD4891FA265F5DA0AED76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399587Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:08.208{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54002-false10.0.1.12-8000- 23542300x80000000000000001454856Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:10.598{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390764E510BA1905518E4B76F52003FD,SHA256=5F0E9591F2FD00F5EA25984C4F52BA1DC473AAA9C52522A7BB76DCC5952B02A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399589Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:10.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06634F760EF413CD51DFC2AACFF21E0E,SHA256=61909DABF20048D32FA1CD4668F379334219572228A60171EFD1339519CB1A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399590Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:11.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BF87A6D69790FF4CCB2F9FE367BB31,SHA256=2FE1EBAE316CFF52DDC48B3296FBD53F7E9242427C443474D17F6D894A9EA4B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454885Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454884Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454883Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454882Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454881Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454880Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454879Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454878Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454877Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454876Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454875Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454874Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454873Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454872Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454871Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454870Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454869Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454868Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454867Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454866Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454865Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454864Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454863Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454862Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454861Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454860Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454859Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454858Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454857Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:11.128{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399591Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:12.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711B39DC6F12D3443B4BFB3F4916D005,SHA256=27CC900A1C801616F39E2C328263C6DA5D9A65A21CF44E813A64C2D610DEEBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454886Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:12.027{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2527955E170F12A85293F66DA3B6E9,SHA256=A9E9C5036BB2B3FE2AE82BF56F9BAA7F798DA750B7EAE375815F590D7FA6A3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399592Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:13.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93FDE06DE3894551DAC9B40ED23125B,SHA256=A96D78197089D7E7EEF19C31EACA44FE084568EBCB0607B5D5E01C789F0CF5E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454888Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:10.690{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61010-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454887Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:13.043{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D158037087B4C69DB91FAC0F420FA04,SHA256=5F6D9F565F48C0DA94738DDB6E0E64E29E4DB0A894E89820760C27EC10A42673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399594Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:14.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84804240ABED77EB0CEEDCB03ED28C1,SHA256=515907C542ED52FD9BE6DDECD661E5ACD04B7B05D98C7767767DF1994D991CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454889Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:14.062{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77164B9C6C050CD2B8236121BEC505C,SHA256=F35B9674C113C53D840DFFF37231EDA2090D674E7F1288A95F8802971661A3ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399593Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:13.395{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54003-false10.0.1.12-8000- 23542300x8000000000000000399595Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:15.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFE0320B884965C6FEE4C4408D869DE,SHA256=E0E4CAAE57B26706BF4013B5813A4BB4CD4531C0E7B3E59BC81C6CFDB27CC95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454890Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:15.076{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E94F785E8AFA7B463D73B0D2E686E37,SHA256=5DD694EC6AACA295D2C935F3439D15D16AE819B69187B893F9E6F34A04EA9989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399596Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:16.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DDCE3030D8B09786110D7D1480DAE0,SHA256=EB66CC611559099199B102E363F9F8927B0742DFA21707AF7508613DD4B7B521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454891Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:16.091{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306EC63022492ED30F1CFA178193947A,SHA256=89030E31C2E9A6897B30A333CC9B7D40D318B86AA5E450A5D11B000AE9897630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399597Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:17.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96238478165CE08EEBAC70D7B004A7D,SHA256=D7E546E57A0932AC557B212B5FD48F95452A8E02C1D1C3334DC3C7CBE3F767A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454892Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:17.105{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2525800DBB90D98E49A30270D1C719,SHA256=4BB9B2363369EE2B1C31A0D020A8EB2AB0ADB8CAC14B7A566BD039D16A06291F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399598Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:18.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036293D347DA9B94C480A625DE0D64D7,SHA256=E25130249388F4F84807308557ACDD97C64C938AA8C8E33870660B3773704206,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454894Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:16.483{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61011-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454893Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:18.120{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD63F41964F4435AA1C8A31FBF7E0DD0,SHA256=269A0B25635E9A659C29ACEEC5D3E5765A833BC9447B3604856F635B0299017A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399599Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:19.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0C1233C406131FB30F37A966EE6417,SHA256=7FEECFCE627957DE6416EC1B32728A9FF0EED99EC07D52B9EB6C0CAD53F44970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454895Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:19.137{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD311759000D0A939344D6B41693296,SHA256=A3BDED4999FADC345352161C8232019D5381AE48F6D0C003E62F0D73F3284F72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399601Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:19.364{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54004-false10.0.1.12-8000- 23542300x8000000000000000399600Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:20.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25261E97E5CEF21CAE9D9E41713DC44A,SHA256=0C06681958BE591F0AA126CBE20CB9CDD655D69432C4408A6D7315C11B8D6349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454896Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:20.170{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC7684EFAA4205991F81C221741D10D,SHA256=0E177EA626BA48E2F0EE2D624FC27C7B48E682FB4D339F0D2ED8FC4B54BF29AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399602Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:21.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F1538F9EBBE8248C5D3B93FC07F1FB,SHA256=A60758ADEA19CD3F3454078CD72B44428A088B6B8D3D53B8283BD0AC3134DEE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454898Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:21.600{D694AEB8-B3E8-60E2-0B00-00000000D301}6565444C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001454897Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:21.185{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0024ED2676E400641FD9C392188637E,SHA256=3D11D694606279DC781D4EB71F125DEC1EB4B891EAA326A019984A7357E6F0B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399603Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:22.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6312574EE6AB5ECAB69B2AE98046B2,SHA256=EC291C3D65CBFFEA120C89ED31E2921692E020AC168ABA4BB9452D3E6DB65CFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454907Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:21.051{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61014-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001454906Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:21.051{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61014-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001454905Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:20.942{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local61013-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001454904Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:20.942{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61013-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001454903Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:20.935{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61012-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001454902Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:20.935{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61012-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 23542300x80000000000000001454901Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.499{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1898095EE69227B07C56C1C576249928,SHA256=A0E7A53CE8734A2C8207B2963CAF8C9FF154E6339F29161C40E47D0379D263EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454900Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.499{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAE562CD182137D0A50B8FBEA7DB4288,SHA256=D80E735C285B6254922CA6F29458E28241E1A23AEE97985CE4C4D057839D6EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454899Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.199{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C5F52942B271B4538F0302F685FD07,SHA256=1F9165A6C16143B58F22EA096615005751D6796771C9095EC8E215841F827520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399604Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:23.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D674B5D7F5ECE6B8F6777D8C733A66,SHA256=BDF8D545525DF2FA7E345C1C2CDBC5C4386E3618C235DC32BFD95B66683CF689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454911Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:23.214{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E5A90A75D706323C7A61444913CF49,SHA256=89F85D12A5A881839E6178573EA89AF4AF244046D2F248034C64A4C1302F2C87,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001454910Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:36:23.052{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001454909Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:36:23.036{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001454908Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:36:23.036{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 23542300x8000000000000000399605Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:24.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4F059C3CC3399104FD037A19DB81F8,SHA256=C0784D928E49D21AAB0E77803CF30C0B898F32288016040797A8119FBDD30DB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454917Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.499{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61016-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001454916Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.499{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61016-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001454915Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.478{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61015-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001454914Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.478{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61015-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001454913Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:24.231{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083AA6B1828F505A7EF9F78631D51755,SHA256=8F9BAAAF93879077949313E95AE7F9D80E3642C124112320C4C60E21F7F822A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454912Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:24.098{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1898095EE69227B07C56C1C576249928,SHA256=A0E7A53CE8734A2C8207B2963CAF8C9FF154E6339F29161C40E47D0379D263EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399606Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:25.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E61BFE9EC9D4659F7C73E041AEC3821,SHA256=F954CF5DA469F8EEBDD95B6C3D87D5EEFEF01E1623DA7B703CA80EF9E2A5647C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454918Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:25.249{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C9CD24AAFECECFA5B25B6CB9D86F43,SHA256=9A58336D5C184D8A73771C38A9788704F69DB688F569C4F27E5332F6D2987DD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399608Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:26.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4118C698F10BA92C862FB46A4EDDEB91,SHA256=E6E8959F8BEEDB21CB37955631DB054030716FD2A40D84BA8D5CDF7CE751CF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454922Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:26.295{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1A39DBA00B3701353DE1591FF100A6,SHA256=1774DA6860EFF03172280A1DE456C6550F637EB6BC74F007657DAEC4FF70EFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399607Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:26.375{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D3F7AE9AE4549841519686D40B2373BE,SHA256=AB10878C051B56DE31A35F8EA72466640EB2BC420319D7983A26B2AA2391C12F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454921Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.514{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61018-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001454920Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.509{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61017-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001454919Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:22.509{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61017-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x8000000000000000399610Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:25.334{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54005-false10.0.1.12-8000- 23542300x8000000000000000399609Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:27.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B60DE0ABCEF5544B40741682B922E9C,SHA256=1BDD988ED748BFE8E186FEC6EC5D55B0D2610161951DF794722385621D441C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454923Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:27.310{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D8AC7DB7C0DE48CDC9EBC326C2A025,SHA256=F314C397863BA3137C57944238BECE84C065AC6700779E05524CFF87BFE82BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399611Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:28.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BAAF8D851AEBA681071A950B1792A7C,SHA256=F1FC286E13C8BD48A851B0275D3FFBBF130FB83F32CA214E0EC0E3EA1E918ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454924Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:28.327{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B8E8DF60C86014C1FC4EFC021F2997,SHA256=9D301209495B55A1D9666D35A95E28806FC5B6E48A96EDC7AD3FAEDFED779042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399612Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:29.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF4BE9237C92A5D6E53AD403F68FF41,SHA256=17B1AA263907FD43332EFE2B459958BF8AD3F28FC94FD85B45A6C1071C0AF359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454925Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:29.361{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1CB5C3D8E1AFE29D25673444AFB9CF,SHA256=7724A75DA3CCDA191ABC1CBB6DE77B84E86CC389D7509A5B2AB9D4125178E1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399615Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:30.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C346F886A1C2DCE61ACCF03460D0468B,SHA256=6066F54FC57F20DB3F8BE3AEDDC43BD5DE32A826080982D7667E2545677427FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454928Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:28.554{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61019-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454927Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:30.675{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454926Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:30.375{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE077A3D431FCEED69C4782181738D5,SHA256=1A72333380481E463A981FA0035CF5F219481A7AD0F432F0CA74145E8E1491C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399614Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:30.484{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CFEFEA3D42E0FCAAEF9CC35D7540F69,SHA256=4FAE8D226D05950F1CD24A4A4BDC631413C42A5A07DC5814C8E6EED8AA60DB6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399613Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:30.484{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D9A8CD45CFA153A158ABF9EBA27D70,SHA256=D8CEB91ED012C4E051880391CDCC991361A09DEE3E501EE03AEBFAD3B604CB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399618Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:31.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD03AE5F8CDEA1DD90E94930DE99802,SHA256=6ED7D3B3928ED7DA94F8E189F80BB554A35EEFA9F4863E7CE27849606C896A18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454930Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:30.106{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61020-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001454929Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:31.390{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51C6A7257A47D9E6B79D5E92CBDFC5E,SHA256=AC29BC91FD3CC28E1A86C0AEAA417D3DFC4C7238DEAB3C746D80E2BF37F03837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399617Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:31.343{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399616Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:28.899{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-50275-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000399619Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:32.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132A0072F85412EF2AB3373B0BB0F370,SHA256=210BDFF836A765B55AD9B00E6B7269670FE432DEB7BC18073AE45497ECEC4BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454931Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:32.404{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321E834521A71DAB12378C65AD41BB0A,SHA256=39CE3F6943D3E5A8590E8140EE711A4791BF1BE8A1F5A50A91F92F437014DC71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399622Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:33.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2B4357A70340B6EACF95F66293356E,SHA256=CF2CD9D89F99C6BA9F804EB34A6D719A207B5AEEF74C92D088E31579300E5846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454934Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:33.423{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D58B6864C02198A40DF80CFED511B69,SHA256=5B5D184A81ACA548A9CE2CFA283540EFEE4872C7C24B4C9629B6C940A9894424,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399621Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:31.536{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54007-false10.0.1.12-8089- 354300x8000000000000000399620Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:31.318{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54006-false10.0.1.12-8000- 23542300x80000000000000001454933Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:33.387{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F19BEC427F784A3D908F847AB9507D2,SHA256=A14A0A79C649F3407C96D573114C0F5EB17540C6D2CF2B5CD037419D86C8164B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454932Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:33.387{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B70F23E71A0AFE5B06CF0B5F91CAC8CD,SHA256=9742EC3C7D75C73B49BC8BF3B9949B636A76194D205B75275737EF5AAA0DBBFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399637Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.812{7F1C7D0B-0AE2-60E3-BC0A-00000000D401}34801556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399636Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F96C9335404747D16D5AAE8CD699A6,SHA256=9EF715A5334A6DD6B7C13641D9DEAFE974812988225E5642219F57B12F45369D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454936Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:34.439{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54FE0B47B1ED53F42DC2E6BA102C424,SHA256=A2A8B4E56D6973A20046E2B99A81D656ED4B7D5D91BCFE3481C77A3453F77FB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399635Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE2-60E3-BC0A-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399634Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399633Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399632Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399631Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399630Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399629Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399628Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399627Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399626Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399625Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0AE2-60E3-BC0A-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399624Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE2-60E3-BC0A-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399623Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:34.672{7F1C7D0B-0AE2-60E3-BC0A-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454935Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:34.018{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=59D70B87748D61508BBE554205E7AA15,SHA256=07E5FBDB7BED12A783D2598B35345B4CFFFE8E2792CF9F798117033F02CEBBB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454937Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:35.454{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEF4C0C6E495200A8A47C67A4994E1D,SHA256=2D2056E15EEB118EEEDB514BDC688CAFD580AC9F9714D27EFAE73AD9BF8234A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399653Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.782{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E165EC45F52C2B155C18D497C1819895,SHA256=F90A7CBA062408E01540EDA55254EC17290D1FBBDD17DC5C9EF5BFA43F7C6269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399652Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.782{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CFEFEA3D42E0FCAAEF9CC35D7540F69,SHA256=4FAE8D226D05950F1CD24A4A4BDC631413C42A5A07DC5814C8E6EED8AA60DB6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399651Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.688{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4C46D5220A6171F8323F83DFEDBF8F,SHA256=BAACA32C189172249D1F1F9B000688E07156C30A12F6AE722134D35D846F3889,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399650Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE3-60E3-BD0A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399649Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399648Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399647Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399646Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399645Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399644Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399643Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399642Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399641Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399640Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0AE3-60E3-BD0A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399639Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.343{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE3-60E3-BD0A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399638Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:35.344{7F1C7D0B-0AE3-60E3-BD0A-00000000D401}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454938Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:36.469{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB51BDD4882CBE3E5314392424E64C2F,SHA256=C2EE9B06335F191D14EEA672B7EB77CF64C511F19C5249AF6F4AF894CBFEF7EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399667Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.702{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72F924B2074F2409990BD0CD246A59B,SHA256=F43C5F8D91956E705350D5BA4C672EA30B4FD298FD7EAA0F24917D183C6F3C02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399666Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE4-60E3-BE0A-00000000D401}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399665Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399664Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399663Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399662Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399661Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399660Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399659Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399658Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399657Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399656Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0AE4-60E3-BE0A-00000000D401}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399655Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.016{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE4-60E3-BE0A-00000000D401}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399654Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:36.017{7F1C7D0B-0AE4-60E3-BE0A-00000000D401}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399669Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:37.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6761E69CAF0C35B638ECF6F171EA815,SHA256=13981B7EC2CBDC863B419D62015D1A56C92651ECF98AF01E7941CA588FD04163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454940Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:37.483{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F29042411741682F26E9AEB10A945F,SHA256=A4F5089A0B051BED62749664146510F5CD209AA81C9E30991D9F4C4017AB1896,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454939Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:34.585{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61021-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399668Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:37.030{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E165EC45F52C2B155C18D497C1819895,SHA256=F90A7CBA062408E01540EDA55254EC17290D1FBBDD17DC5C9EF5BFA43F7C6269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399673Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:38.735{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F4336306D0872C07459A6D4F962D883,SHA256=9E716A453AB06979B6CE8152D904D514DB8048506D5A994B10943A70B124BA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399672Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:38.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBA579F296AE85BD98C2528992971D4,SHA256=4ACCCEC6CB6134AE4E6E7D10289245B8D19600AE316B327511B6B5BEE53155EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399671Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:37.431{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-35808-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000399670Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:37.316{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54008-false10.0.1.12-8000- 23542300x80000000000000001454941Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:38.516{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C6BA31193D1AC0A59418B213B4C81D,SHA256=DFC5201FA6A79AF433F5F122B0B2DF2A3598A8865B6F220248C64AF24894718A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399701Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.845{7F1C7D0B-0AE7-60E3-C00A-00000000D401}5121072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001454942Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:39.534{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5BEC534224A499821C53EE42936171,SHA256=F9690B5ACF4C769EFC0BC2A1FDAD7DEA61895FAFFCD0A47EEB266829D86C5414,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399700Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE7-60E3-C00A-00000000D401}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399699Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399698Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399697Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399696Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399695Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399694Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399693Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399692Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399691Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399690Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0AE7-60E3-C00A-00000000D401}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399689Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.626{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE7-60E3-C00A-00000000D401}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399688Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.627{7F1C7D0B-0AE7-60E3-C00A-00000000D401}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399687Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.345{7F1C7D0B-0AE7-60E3-BF0A-00000000D401}40842272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399686Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE7-60E3-BF0A-00000000D401}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399685Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399684Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399683Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399682Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399681Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399680Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399679Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399678Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399677Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399676Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0AE7-60E3-BF0A-00000000D401}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399675Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.126{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE7-60E3-BF0A-00000000D401}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399674Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:39.127{7F1C7D0B-0AE7-60E3-BF0A-00000000D401}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454943Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:40.565{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C469F4830C48439E7712189E1070AAB0,SHA256=9865E491C26AE2F7207F8483E5C62104FB99870D6FE8A47F6BE5E6D8F13C56A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399730Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.782{7F1C7D0B-0AE8-60E3-C20A-00000000D401}25163920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399729Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE8-60E3-C20A-00000000D401}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399728Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399727Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399726Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399725Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399724Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399723Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399722Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399721Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399720Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0AE8-60E3-C20A-00000000D401}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399719Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399718Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.626{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE8-60E3-C20A-00000000D401}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399717Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.627{7F1C7D0B-0AE8-60E3-C20A-00000000D401}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399716Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.157{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1916E8ECF8A607F614F0EE70A0FC8095,SHA256=914FE3F471E44ACB4EDE0CD82D12E808D010804F95B77B732AE64771183CB93F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399715Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E589FBF26A1739C165A947E249A57C0C,SHA256=B2D94A25F6AFDF18AEE9BED755B4A650218F44F0DF57F8967313038B3858046F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399714Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0AE8-60E3-C10A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399713Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399712Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399711Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399710Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399709Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399708Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399707Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399706Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399705Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399704Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0AE8-60E3-C10A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399703Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.126{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0AE8-60E3-C10A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399702Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:40.127{7F1C7D0B-0AE8-60E3-C10A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454945Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:41.595{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E40578882B89FD7D6A5F21C2A9C03D8,SHA256=5182356B81E5059885708EC4EC0FF6120DD522E1B2418DCC24A503203669DD0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399732Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:41.673{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56B856B93F51EB28738AD8B2FDF36971,SHA256=9BEAD0230EFC66C6BC4BAAD44FD2B4A123C1CBF70B6F0735F3A8E3E8483641E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399731Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:41.313{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA082E32F59BB537E9690B1A9F4EBFDF,SHA256=CDD07E5893D5758208AF62AD0C43505D0E34A40DEE0B7291F272961D8E3F627A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454944Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:39.596{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61022-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454946Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:42.611{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC0B6859047E8CD092A493C41DBA4B2,SHA256=5466C034C999ECD15747D7401E5213E38992669C202AED29AA34CBCE06FDFAC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399733Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:42.548{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F79A3371E48FED1836AD88AE6EF47F3C,SHA256=7201536C3E3FB24EC7EBD15AD6236AD6CED434F42CED319AE01348CD6FA3688B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399734Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:43.548{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6930A85BB652872744171B8F24E988DB,SHA256=54E9672D8064B9298150A88A629F236135E8494C37FC0549701A1CBF7D731C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454948Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:43.631{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB304F7269690DE2F03501CFE6B751C,SHA256=16EFDA0B5F603609300B7E29BF39AC4FBE6B35F5509E0D4EC9D36CB6881C3952,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001454947Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:36:43.062{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a2-0xcabb31d0) 354300x8000000000000000399736Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:43.287{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54009-false10.0.1.12-8000- 23542300x8000000000000000399735Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:44.688{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E86C96406B71B1A3EED01AD6BABFE5,SHA256=186AFA8F4EAEA4FC8CBEC2F3B62586409CD9A1A14E45D91B3D4AD5D6B5E67264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454949Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:44.645{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDE02A95E11EFCCB3A93AFE6B694BF6,SHA256=541A8998E463D239B665D4DBF41768F9F71AD6842794379624A7DF34AA139353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399737Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:45.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD1E1774A8394800BBC5631EEABC3C7,SHA256=17271FAA21A8284BC4BBDBCD0097E0AEF32D23320BF80FC95B069406D90B46D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454950Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:45.675{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2391528E485DF7F1D8361BAA6CEDCDF,SHA256=EA7B83FBA65FCC05DA4CA847B3A15F665F8673913B54466036C72B4C25C45789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454952Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:46.690{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA0981A6F22A4E223E4BB8E4232994E,SHA256=A13805322CA3AD6DD77AD8C0532DC2AB7E782DF88C83FF432632EFDBB37D54C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399738Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:46.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5AAEA4ABB49AF44A7BEACC55F039B97,SHA256=F8F2D1B363E39A4FE2AF53B1EBFE7B143F63E3212119E2967130EAB5A7B82648,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454951Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:44.607{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61023-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454953Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:47.707{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0D6BC04C6C006319E9072795866082,SHA256=A35EF2A8DD9816D68A0A81241FDA35F7990419744A3B8A1BF43CB1C6D4823A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399739Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:47.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B74C87D7E659E52DB7CBD3E973A59D,SHA256=587545E2F86402CAFB325E44D4AE8DF86DBDED4F33796907616623B784433702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399740Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:48.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B1C8C29BD46DA78AD3F393B6E1A3DA,SHA256=77E92E9A37E6FBDBC7496C12134962E0FB32178B2E79A5EFA78ED90DD46434F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454954Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:48.725{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337FDBAA944732504FEB855013E153DC,SHA256=04A503F002E2244B6C71D8E6DD5007A06CA9FD8F999E706571B2A120AAF2F6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399741Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:49.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEBBF656504C576DA5EF23B041E692C,SHA256=1B3CDD2AACF76396B52BC7B2836F37FC76FF5B56BB036B68A9B205735C5309DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454955Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:49.740{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01CEABC5454D5535E16779E9993F726,SHA256=87FA561492F87D8DB91F5F5B5FFB2D67C70D154AF2A95D4F1E378B79B6A643CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454956Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:50.770{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696F6490C3085BBE60104F88F9010135,SHA256=FF9F9BA65D86AD38E4B7DE7AB3AFEB81EE3F073320F6D3667F4054BE164AE50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399742Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:50.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462A17F514D342B61F9431139E1292ED,SHA256=57C476BE4C44CE8EA9BB3A30ECEDEBC2F4AD40D69C2F215A5A645BFBB3C8DACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454957Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:51.770{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D7481572B7E65912116B3E6B1707F2,SHA256=CECC57D3C3766A79CFDBEB8F1B6903DBA0B8AD0E62ACC15291A5BB3EC490A0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399744Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:51.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17C6C102ADB071F95C27DE8F137C669,SHA256=492296FED49DF4E2B2820B3567783A3F86F8287DA16F77DC55625A2FE1F1D264,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399743Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:49.272{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54010-false10.0.1.12-8000- 23542300x80000000000000001454959Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:52.938{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BBB46BDF0B7A5104C6498F07E252A6,SHA256=8D5C3432747B3BB534FC02F684E8CB4601F6EC8227A36B1F33E2B9F54308BE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399745Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:52.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004BF8CE63BBB1D036E78B798AC9A729,SHA256=5D69411D13964565508F94B4B2B6F49FE5B3EF81263A5029DE6E8893E909F69C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001454958Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:50.633{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61024-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454960Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:53.968{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E57E33421A755130A534499894242AA,SHA256=8371E62E860DBE88C3409159D078752029021270522BC9B4C60DCD338B330C63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399746Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:53.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452884BD5DBDA1ACAA48DAB9C5EC0361,SHA256=068946C93EC48BB0263AC8D7ABED3EB3C4858AD17E9D1243FD1C15D57D86FDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454961Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:54.982{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8684F29D5FD75DF530DD6B058AC3982,SHA256=AF007A687DB916B7E9B5B617E419411D2EB3F765F9EAFCB5F1F28E5C1E81F818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399747Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:54.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDF00FD722BEFED5C91A6F980C4FAE5,SHA256=F5FBB44F8D7884BC83F518718327E09FAACD357E4B249792541F1B327860789C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454962Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:55.999{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FAFC4A19CCCAF2F118E0AEC1C92B12,SHA256=01180CC90F52DC89219A3DA1F420AE2F21AC4E51A5B4C5D1F5DA6D585FF4E7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399748Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:55.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D9F590B6A9CF018348AF250A70C81E,SHA256=292E6B5E53787046419969FD5448B376EE9E32AF25F5C6E6E2FAE77AFFC7DA6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399750Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:55.256{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54011-false10.0.1.12-8000- 23542300x8000000000000000399749Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:56.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C946E87FCC0F48E8FA1A396EF95BEFEC,SHA256=F17461ECC351F608721998221629002004774FBEB9645DFB45229D0DC4C4E993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399751Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:57.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A68811092958D18980A8187160B57E2,SHA256=F6589768DF80010736CE2EBBFA420C4693AC0A8A34CB8F4FE03C16D605120AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454963Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:57.018{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684EDCA8D49461E47676D66113E320F2,SHA256=22124EC137419B8936D52E56EA7A9816D3EF138186DA955A86374F1F2CB386FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399752Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:58.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7A7206FDD86B067724B3CC416E2B9B,SHA256=451C9C9A45C44A47B6FFBDEFEBF66D574B07F8EC9B11745FF94954D8B7D5C624,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454972Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.997{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454971Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.997{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454970Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454969Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454968Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.996{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0AFA-60E3-540B-00000000D301}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454967Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.996{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AFA-60E3-540B-00000000D301}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454966Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.994{D694AEB8-0AFA-60E3-540B-00000000D301}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001454965Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:56.642{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61025-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001454964Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.032{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A78055E098389E4957DE53356696148,SHA256=B70D06B1201262FD36B81B9988565650D68C56E39ED3BDCD9F2A18278E731671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399753Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:36:59.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB483DA8805D1DBD5142115D501B8F1,SHA256=C2DAFFCEDF32FB81B7F6E312BF780587480ACC3CC7D18AB83ADAFFB82E670FA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454983Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.877{D694AEB8-0AFB-60E3-550B-00000000D301}57446316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454982Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AFB-60E3-550B-00000000D301}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454981Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454980Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454979Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454978Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454977Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0AFB-60E3-550B-00000000D301}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454976Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AFB-60E3-550B-00000000D301}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454975Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.678{D694AEB8-0AFB-60E3-550B-00000000D301}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454974Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:59.047{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD0CCF0DB563EFE150D9468965944AD1,SHA256=0AAF83E44C1F39B8D3986DC688CFC70DF7F3195337B67EC5631E6FE3BFA8E7E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454973Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:36:58.998{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AFA-60E3-540B-00000000D301}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399754Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:00.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589A4DA1B3218AF896126BFA9B1D3238,SHA256=4E47EAD4A5BCD5EA1B37C685B62B3336ACF4173CE5405A90D6A0D4FAF8837114,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001454994Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AFC-60E3-560B-00000000D301}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454993Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454992Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454991Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454990Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454989Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0AFC-60E3-560B-00000000D301}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454988Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.361{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AFC-60E3-560B-00000000D301}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454987Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.362{D694AEB8-0AFC-60E3-560B-00000000D301}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454986Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416D81F229E2F742BBCE2D1B729F58E3,SHA256=AD63FDB48D2364D278417300FF13F83DFD516C20CFF37F96B5D6423209D9C0F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454985Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63208E1652F0C47353D27ECBDF28B9A8,SHA256=DF8B670B1DF89FEBA7C1BC04A4F8BE947471175B3068DCFFD3A3F55BC0F20CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454984Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:00.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F19BEC427F784A3D908F847AB9507D2,SHA256=A14A0A79C649F3407C96D573114C0F5EB17540C6D2CF2B5CD037419D86C8164B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399755Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:01.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0EBD3DE44439F82F00059E564E0BCF,SHA256=80CFEDD201FA92AE13CCF93A1E202A1395D1BAEC481D2C1D6E05F1F0CDB68EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454996Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:01.413{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63208E1652F0C47353D27ECBDF28B9A8,SHA256=DF8B670B1DF89FEBA7C1BC04A4F8BE947471175B3068DCFFD3A3F55BC0F20CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001454995Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:01.063{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98573FC9180F44982DCBB400DFBBBF7,SHA256=3F120C752C3DE4BB2E9914D829E5A3CA6E7F48BA48EBA19D918BC2F04079E64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399756Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:02.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B96CC7EAD0A530340E9EBA0C8DD4F27,SHA256=1EA3CFE407098976845AF08A8270EC5EF83F557C1B0AA819829154C219AAED83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455006Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.875{D694AEB8-0AFE-60E3-570B-00000000D301}23286688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455005Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AFE-60E3-570B-00000000D301}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455004Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455003Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455002Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455001Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455000Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0AFE-60E3-570B-00000000D301}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001454999Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.713{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AFE-60E3-570B-00000000D301}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001454998Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.714{D694AEB8-0AFE-60E3-570B-00000000D301}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001454997Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:02.094{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0943D47D3783E58AC97BB38DC29A3232,SHA256=13191A50502990B8E92B85010B7E483E27829A34700BC1508DA90DD9135FAC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399758Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:03.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE766EDCDB993E7885DB2E4BC18E9F5F,SHA256=F8FA8C4B23F24180D4BD3C3019068061F39EE8234D2DA0C021D4E9CD6315351A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455017Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.843{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DEF8F23200813588627DE9D339FBE76,SHA256=BCD484A671AD7DFA903676D93DA6C86963EA40FE47AE050991A1752545F23179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455016Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.512{D694AEB8-0AFF-60E3-580B-00000000D301}4324552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455015Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0AFF-60E3-580B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455014Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455013Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455012Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455011Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455010Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0AFF-60E3-580B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455009Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0AFF-60E3-580B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455008Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.375{D694AEB8-0AFF-60E3-580B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455007Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.112{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461FB01A5EE31A8F8F252F458E23FD10,SHA256=84ADE9B991300B22F67B571FF4693D9F7A34CD97F67BABE3C8D974C9D336FF77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399757Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:01.257{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54012-false10.0.1.12-8000- 23542300x8000000000000000399759Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:04.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CB7B8E4CA8FC00CD7E110C97D15B8B,SHA256=48C65B499018F5C8B6BE693084A57DBDA6D8449CE38BAC73AA65BC01535C1E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455037Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.974{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E237BDF6BDE1D0C3A1190DB19D0DAFFC,SHA256=64762F144E6E8AAB0D793E6C32FBA4399AD2DC645ACF0FDAD33ACB5C06E18D9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455036Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B00-60E3-5A0B-00000000D301}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455035Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455034Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455033Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455032Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455031Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0B00-60E3-5A0B-00000000D301}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455030Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.728{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B00-60E3-5A0B-00000000D301}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455029Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.729{D694AEB8-0B00-60E3-5A0B-00000000D301}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001455028Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.197{D694AEB8-0B00-60E3-590B-00000000D301}52085040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001455027Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:01.659{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61026-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455026Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.112{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F34C1A938B1450E757605725BE2854B,SHA256=8509CAD73C5A3C4C1919A2DD307FA5B5C177C2FC30BCA3047AA143123D0830FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455025Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B00-60E3-590B-00000000D301}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455024Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455023Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455022Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455021Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455020Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0B00-60E3-590B-00000000D301}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455019Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.044{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B00-60E3-590B-00000000D301}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455018Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:04.045{D694AEB8-0B00-60E3-590B-00000000D301}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399760Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:05.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA29A111489F6CB297B5D18E5F2A646,SHA256=F224736735FB4AE5B567F6C54D27CE3B34EBE3C9117695AF554D4907D9F24D5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455040Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.406{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61027-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001455039Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:03.406{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61027-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001455038Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:05.127{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAC005A5F5C0B0B5672C4467206B4D8,SHA256=F39A6663DEA9008548F2B700EA6C46EBF0B04D5BCD313989BD3FA42CC178B0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399761Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:06.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3240159B2ADBE433C5F5AAE51C1815,SHA256=452D87E36572B108C3858DB718322E950ACD1C477D0ED3D65DDE5434BA018699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455041Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:06.142{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4D42AC5A814735459EB4083E9640D8,SHA256=7DDE7FEBD3E5FFB4F25E7C09281E910B441C3BC6C3435725C118A755545B8D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399762Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:07.767{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0CE2EE65190018021F1B3B4CA3E5BB6,SHA256=B2A54F35E8796E21FF8BB0AD8E6E90713461972C3EB6EB151D8BAF11E912035A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455042Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:07.172{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6513B0E10D73B07912259962311D945A,SHA256=A9FF1E1433BAC80F1878B89308D5562EB4D0900C3929B3DE88C4B49A9ABF5AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399763Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:08.782{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130D8A00E743BC18CBC0F9FB44BC466C,SHA256=62AD6F17D3CB70C0F25F93B47D26C3E3FB2721830BEB77A8C7D3070DAC4F4F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455043Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:08.172{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79B5994DAA014473C7B066AEDA1A6AC,SHA256=012522C89ADD59FFBF1277AAF6125AF104B96BDD34779A465CC11F5F49D5BBBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399765Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:09.798{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8BC30D90C56B8F38CF97AE835C278A9,SHA256=ADEA31286234B4DC1ACB2ABFA6B5CD054921C87CF5630DDA21C09D1B8BDA37FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455044Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:09.190{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766C3D1816A29ED4A04A7D54B9CEBDB0,SHA256=9A0BAEC8AE97C967BA786B989C83BB6BF1E4C408B1E8CEBF8794408EE63499B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399764Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:07.272{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54013-false10.0.1.12-8000- 23542300x8000000000000000399766Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:10.798{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFBDC09772507F9CFEABDED42F10764,SHA256=369248DD4E07A8B7CD7D53BBB50175A4159B69C32B3EA7C845E3303157C82860,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455046Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:07.657{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61028-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455045Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:10.208{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6714C12D0CED89AC832252590C9A464,SHA256=8153D34368F04F835470ED75187554D738912AF1275A4106601D64122DABECDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399767Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:11.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6918F0C78137BDADC0F7DE7CA0553D,SHA256=7C07B9B7F735F0A3EA7DA4F1DC6835972CE990672CFC26C218E2E95B92ADF906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455047Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:11.222{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8422B9777338C4F6D56090A9D1ECA1E4,SHA256=B0D0D9FC9FB871A0775B370ED75813D672A04D825372544B60CE960224E1C699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399768Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:12.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA864DA379DEB9CF0709CAA3C03B881A,SHA256=3C5BF112AAF1D5DDAAD4FD37826F4920C0A248E52FDBAD5A0A48B4EEA41D504A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455048Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:12.237{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9B87965C68864C264F9B7C666A9247,SHA256=4AFBBEC666590118AEF2FD28C96E137B6F4940462E94A29D47FAED655020CBD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399769Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:13.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE316507D20E151F868AC747B09B7FA0,SHA256=10F69AF5E0F9BB9B58FB612A88202D4FE1777F352D156E945618A3500B7C1023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455049Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:13.267{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D65070A5A9FE0BAC1B927005BDDAD34,SHA256=7B7ADEFE9243A4B2F82A6D828B90050ED84E954F75B105572D8D4957715BC7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399771Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:14.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF37ABE3DDD50E69DDC8B26076F64359,SHA256=229B4E3975EEEE5169F2139A78D5DCC5CCBA20E43D8C2D724BEFB4660CCE386E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455051Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:14.618{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=43BA2A50DBDD3681EE523BE05BF65976,SHA256=A54A3E10428206109A87D8EBC0BB7443BB2DBA6368F6327599CFDAD001C505C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455050Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:14.285{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A53C7D60FF0170708A17E19B26617D5,SHA256=1F4E005A2A22B71BE730D0F463112B4F7427C0DD85EBE02D88E1757CC91595C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399770Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:13.241{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54014-false10.0.1.12-8000- 23542300x8000000000000000399772Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:15.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2AF6A9D9BCC566ED7CBEB5CD0A2ACB,SHA256=D1BCB26C134A5C0900BB765F860B40438A6D0792FB679AE1DD511C16EECA60E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455053Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:13.650{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455052Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:15.317{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B5300D771FC401DBAE247FBAB8DDFA,SHA256=F09494C1A36169E3B97492A422D8D9F6C5DD315E4D00D93A154C03CA656310A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455054Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:16.335{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B564F515C4CB3367684A3126C8AC6139,SHA256=32D9449FE1E4429F520EB86AAED5FDCD1079BF255DC13C82266A0EA45164DE31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399773Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:16.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B23FFF2625838E4643D0C5CE108FE33,SHA256=418F134DB22534F7E7993985A57B9D67CD26883D73AB353154657A75DA4E0E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399774Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:17.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4164E5130C9D3B18D30D442CE8630D1,SHA256=D392EEC87E09C12BE349EA540232A84B343FB7D162D593FF55CD7987A61CFFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455055Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:17.382{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F3C90371799D725B132DA33BF139FD,SHA256=779B6D60E9FCFB9B76DECEB56D33B2F1F5F981834CB0E83B3CC792B3DD221468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399775Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:18.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE5E4371554703C56FB7CB40F34550B,SHA256=CFF3ABF040CC9DBE1CFC92F4B8EB303E77990588B53DF06EFB900CD1B1C546F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455056Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:18.401{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CD2B23611D0DD8159907EEC339A8A7,SHA256=2D799DA9A12D8C05EB857330E709F013031898BAF6C19C4F6EC45CA9D7172744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399776Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:19.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C585D3679F9920F608E052AFB9BFB1,SHA256=DD8C20C09ECE2BDA53C89577F3D4A7F8F3F1FB17A4E70B88918940263D2E589F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455057Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:19.416{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386085A033CAE388CB4F5609409687F2,SHA256=466F3758F5B94997DCBAFCEE21FDE2F2FF50758833FCDD8FDCC6C094D4D326F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399777Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:20.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF2FC55EEB59DB5645588F9D62D49FD,SHA256=051AACD4B7E950C65BE05CF2AE6B1E7C34A00F4E8005E0FD5940859F64E25D59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455059Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:18.663{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61030-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455058Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:20.431{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F5C61BA09DE14CB33FB9CD7E109FBA,SHA256=49C0D2B7B1696A84C960A77B6FC4679EC12297698C7804676F9E3E76417DCB88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399778Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:21.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD95BF68D28D4BA2A9A4F059D1FCF90,SHA256=B4293080D380D576496547F8088D198C27BDCA54EFD4F4EB8D6731F2FF2642A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455060Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:21.462{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BEDB6A0DDFD1F495F78E611780CDD3,SHA256=E5C115F855287BDE18184FDEF4E7106DD37D9914F940F8D1AA2493451A9963DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399780Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:22.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBE917A44AF57B65656E7B3CF3D6DB9,SHA256=A028D222551723B54BC6B810D7CB89D9E5D2ABD2860DA283264AC011F32E5EFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455062Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:22.498{D694AEB8-B3EA-60E2-0D00-00000000D301}9166272C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455061Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:22.481{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282654B5597272A2E502A44976B36848,SHA256=68DAA3BD36164167C014BC860ED513DA060B877BE0DEBCE56471346FBEE96248,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399779Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:19.225{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54015-false10.0.1.12-8000- 23542300x8000000000000000399781Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:23.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F9FBD3F7B93843A189A60142429699,SHA256=F595E2FF977DAD0BD0094E0D2860F22EAA3EC9415C983984FDC23D99715C0CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455063Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:23.497{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC3A76E0BE9FFF6E8A3A5508E71C762,SHA256=1229019B91F054511365FAF7BCB2C30CB7BA6A4648822BE8429F75AF424E968B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399782Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:24.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0286A0F80156F22DB9D276575A8037AA,SHA256=37A6235796268F26391FBCADAB85444F3D201C0E720A5EF5729DC9271DF92A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455064Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:24.511{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39BCD7ADD2CABE2AB6D624C15FD9239,SHA256=ED96648BE786DEF99893619A0E59884B783E56C6F191EFC3EC25DF513313C649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399783Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:25.845{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FAC049D020D0C7B888F1681DE502D9,SHA256=50A23801B342D51DCC423A73F5A860E50BF6AE8AC5DFB82F827EFFC5D125DE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455065Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:25.526{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CD33EDB6081F077E59A303F19F38FA,SHA256=1814292A93E39EC5342719F7B7FFC271A91E269D19C814FEFA5455C785B42080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399786Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:26.892{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A69D08785EEDD4FD4514BD816D25EB,SHA256=81793B6F137B4201D287A4FD00DA58770FFCB0D412D9FE8ABBB74F9B5BDD297D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455067Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:24.688{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61031-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455066Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:26.556{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F6ECC98779E0C33572C9AF02114B1A,SHA256=FCF48F3EF119EF182783047F29552E784C0B42D8D7F5673F0A65E41E684F2824,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399785Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:24.444{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54016-false10.0.1.12-8000- 23542300x8000000000000000399784Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:26.376{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E2422BFA9514B6C0F7FF9D01ACEBDDDD,SHA256=A73C679E00F14CA51B470238FC34000B04F5ED7D3101F63DC78FAF0E5B18AB7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399787Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:27.954{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62C5CB7E1565937A04CACE73AD12BFE,SHA256=F7931DCA2885E146F9E932E2FD56A8AA7FA1866A51F128A5014CEE769E8E98C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455068Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:27.573{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A3467CE6DD7BB5B34CB47B61072292,SHA256=D1381C9D02DDFA9FFA0F9B9912817BBCC55824E37DDC0969AB88113D7B27B092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399791Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:28.954{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1DE95678C2BD843025FC0C1E682B61,SHA256=4A676E60191E44B27CF125305D67ABEDE3CD45EE5B5966F56BC9244A1591EF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455069Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:28.591{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777899023300B35EAEB6BD808FE62F77,SHA256=3A2D9B4F942D54A207F7039AE53FD48C21CBFC53BAAA81FF89AA34443A567C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399790Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:28.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399789Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:28.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399788Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:28.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399792Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:29.970{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4ED827A915BF1B27AA7C88F40E78AE5,SHA256=6C789B3AD6DA2830E954665F2F0C0F2B030C760432953FE4DF35C20BBAA474F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455070Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:29.606{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE412E17A2B28D745767BF03CB747F6,SHA256=D0515CAA9FB61963C2C123DE36C3E24A5DFA86F97933E4BDB99917E45821E5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399795Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:30.970{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7078AC480BAD6265C6D7DA3524CC9B,SHA256=BEC9A5AB892D708EC6A5AB85AE7DA7EDEE4BCD6ECC4045F7E794B02651EAB850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455072Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:30.704{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455071Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:30.620{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB03296C3472A69D8544272BCF7B00F,SHA256=DE333B759B1D8251F1F785538A8C43B881A688D7FE18E01BE5213F0ABDD3A8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399794Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:30.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EC3C01EA842F7AB2437B23C2B1A182F,SHA256=08977AF162517C4045B105543A4564C455972D4A03CACB82D41DABFC876BF471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399793Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:30.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78B625B840CCAB2DF3D947FE1DB3E9C7,SHA256=B45E5BAB499FEA4939D37A1D09DF1D8D1F995A3626366B4184DA20ED6AB9CFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399798Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:31.985{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0181CDF9F85733CB9D7104B7150085,SHA256=DECD242BF9E1AFDB00DD244CEAD2F8256ADE9F7A6779A138565B82BEA5F20621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455073Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:31.620{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341E7F01AE6645B30E34C0D98830F857,SHA256=70762CBDF1285699DF7607B20BC4D081750FC2F8AEE11CF119D6F2C3E9FF8EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399797Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:31.360{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399796Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:29.567{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-52027-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x80000000000000001455075Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:30.136{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61032-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001455074Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:32.650{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CD2F2D57535CE39F0E12A87935A0E4,SHA256=159F95E8F00626B4F498B30E9AC81E73D49D9EAE45A4D6956ED6B85A9401DE8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399799Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:30.444{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54017-false10.0.1.12-8000- 354300x80000000000000001455077Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:30.698{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61033-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455076Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:33.667{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C84E4698E362BE38FFFB2B421092C7F,SHA256=51AF4D630CAC0C9F7CBB6A4862FC24118C14CFA77D93721E0319E92826C7239C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399801Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:31.554{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54018-false10.0.1.12-8089- 23542300x8000000000000000399800Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:33.017{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D7A912AA099F09F5D4127E58CFA33D,SHA256=DCE94044327AA3BB2F3D8ACC680ED329F8925FB795EF232B5752D9F622697D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455079Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:34.685{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F02C55965B6C53E5B6E6523D1685EB4,SHA256=435BEA3E003081441C4D7CD49F4B6C44FB0D05360EEF8D0BFC664EDE409485FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399815Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B1E-60E3-C30A-00000000D401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399814Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399813Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399812Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399811Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399810Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399809Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399808Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399807Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399806Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399805Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0B1E-60E3-C30A-00000000D401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399804Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.673{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B1E-60E3-C30A-00000000D401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399803Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.674{7F1C7D0B-0B1E-60E3-C30A-00000000D401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399802Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:34.017{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51DEA965F05148359D8DA4D243F26170,SHA256=1FFD6BBA9B2AEED7BB6705A0862C8AC785209E3B8F2C6DB6B43AD738F7D62E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455078Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:34.033{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=61458C4E1FB03C729CA9C6920CD88F49,SHA256=1D58EFADCEA8D3D6E7419D71327EAF81145FECEBF4E58EACAEB17F2A41226E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455081Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:35.715{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C226D6D10F82DF11EA4A577F0B294E64,SHA256=624C7B7AA38AE498EDDC8392A13FD55C5EF0F2D5860A0E1735DA27E2386EC252,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399845Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.876{7F1C7D0B-0B1F-60E3-C50A-00000000D401}26961264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399844Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E99DB516CF8ADDDF48B06428F8BE2928,SHA256=7C18D88B1A6E5EF3D0F95CE42CD87E89B5AC26C6EFA6C9E6E23FBDAD50CCBA73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399843Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B1F-60E3-C50A-00000000D401}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399842Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EC3C01EA842F7AB2437B23C2B1A182F,SHA256=08977AF162517C4045B105543A4564C455972D4A03CACB82D41DABFC876BF471,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399841Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0B1F-60E3-C50A-00000000D401}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399840Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399839Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399838Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399837Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399836Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399835Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399834Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399833Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399832Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399831Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.673{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B1F-60E3-C50A-00000000D401}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399830Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.674{7F1C7D0B-0B1F-60E3-C50A-00000000D401}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399829Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B1F-60E3-C40A-00000000D401}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399828Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399827Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399826Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399825Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399824Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399823Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399822Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399821Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399820Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399819Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0B1F-60E3-C40A-00000000D401}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399818Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.173{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B1F-60E3-C40A-00000000D401}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399817Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.174{7F1C7D0B-0B1F-60E3-C40A-00000000D401}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399816Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:35.032{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D506FE6246CC94C98295035784E8455,SHA256=7EC0F8BD20965AFDC3CB1B0406299B0C72BFF7942A4DEDF36DAC11E8FDC232DA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001455080Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:37:35.615{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a2-0xea0e32c4) 23542300x80000000000000001455082Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:36.745{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384BBE141C2FEB33582ECC3EF1529830,SHA256=7B0BAC2EA532EA4D061EFBE58FEEFAAAA300C22C36C940F99FFDA067170C0835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399847Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:36.722{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E99DB516CF8ADDDF48B06428F8BE2928,SHA256=7C18D88B1A6E5EF3D0F95CE42CD87E89B5AC26C6EFA6C9E6E23FBDAD50CCBA73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399846Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:36.157{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D47D2ECDBD4072D16E2297493346A94,SHA256=62F52B0E2954F9BD6CA25AC4EB93DFF5BA7CB8583EC1751714B2D13915959094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455084Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:37.763{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4714C0029E2019AC105C19D9A7A66C4D,SHA256=5364627C73EC793A37F7652C90CB7EB51D2D42D9ED912C8D405C49B18FB0E3DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399849Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:36.460{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54019-false10.0.1.12-8000- 23542300x8000000000000000399848Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:37.347{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20362723626B5863556B3495B1B424C3,SHA256=BB241444012E9A71806E1E5681C3C557E10B9C81442B04FD0D89DE1F38BFC95C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455083Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:35.046{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-201.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x80000000000000001455085Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:38.812{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBEB2FD4E5EB5C2D0F644D04E83209A,SHA256=CA8CC0DBD204C46612F602B5E9DB5EBD1BA1CEF63AC9AE5256AEE9BA5FD7AA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399850Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:38.375{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63B0B3BCE2B3D9AAE35BB8111E6BC11,SHA256=4A8D2199719477CC0EC565E19053FEF222546F11B839B70F7472A81F06012BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455087Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:39.843{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA01CBA0AC997FC4C2449681FB9E697,SHA256=B8112DB09E2D6FD0297B93BBE3FEA190F4067C8EF27EACEB582284211BE0AC2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399879Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.783{7F1C7D0B-0B23-60E3-C70A-00000000D401}2776872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399878Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B23-60E3-C70A-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399877Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399876Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399875Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399874Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399873Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399872Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399871Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399870Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399869Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399868Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B23-60E3-C70A-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399867Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.627{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B23-60E3-C70A-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399866Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.628{7F1C7D0B-0B23-60E3-C70A-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399865Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.424{7F1C7D0B-0B23-60E3-C60A-00000000D401}27961644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399864Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.393{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5284EE15F4BBF59B8337B80FBBE7BBEC,SHA256=8EEC6862D9A317F3BDE4BFFFDD4F483D44A529E3E2479DAF1D74E71C8EFDF070,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455086Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:36.644{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61034-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000399863Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B23-60E3-C60A-00000000D401}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399862Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399861Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399860Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399859Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399858Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399857Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399856Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399855Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399854Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399853Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0B23-60E3-C60A-00000000D401}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399852Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.127{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B23-60E3-C60A-00000000D401}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399851Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:39.128{7F1C7D0B-0B23-60E3-C60A-00000000D401}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455088Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:40.859{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92CA521FD2C1741A5B6927D77725C45,SHA256=5D798808956015E3D09DAB5D04C889A062942AB2F3C6FC0EF5FA28BC8D529E32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399908Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B24-60E3-C90A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399907Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399906Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399905Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399904Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399903Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399902Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399901Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399900Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399899Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399898Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B24-60E3-C90A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399897Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.783{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B24-60E3-C90A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399896Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.784{7F1C7D0B-0B24-60E3-C90A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000399895Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.533{7F1C7D0B-0B24-60E3-C80A-00000000D401}34243364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399894Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.502{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AA7ABFFDA1BA80A09C7CF7815286F1,SHA256=DDFF8BF9DD4A09119E85720BBEA2E028CCA6DC55CAB6480C453208BDF5611800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399893Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B24-60E3-C80A-00000000D401}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399892Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399891Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399890Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399889Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399888Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399887Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399886Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399885Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399884Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399883Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0B24-60E3-C80A-00000000D401}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399882Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.283{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B24-60E3-C80A-00000000D401}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399881Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.284{7F1C7D0B-0B24-60E3-C80A-00000000D401}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399880Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:40.252{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F5D887773B6A20B99E94884DBB2CA10,SHA256=4B8035CCD1A6CAACE37140ECD6AFFCFA4C51FA42B06890F0C76DB369E85D537A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455089Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:41.877{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B8D957F34359FD3B32EDE53A2C508C,SHA256=8C19A59ED5D34EC89E3C05544D8596AFD381C4F0D12F8C5ECF4A34679F4DF1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399910Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:41.533{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559B243B6B0D606CAB189D646F652B86,SHA256=62214577FE7CBF921B3929BD60323448E6DC694A22EAE8AC0F752749CD0A478B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399909Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:41.299{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C01C36B706EA63E55F0FE5D36634381,SHA256=3C594A05EB1B1B5AA49B437A08AFF1F5AC8937D6A7B2DC0CAC672E649B438D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455090Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:42.907{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45046791A5F7940E5030290C2785BBB1,SHA256=75FFBC4A997971E7D1B364A6FBEBCFA5A368BA017F04BDC9B73DB8C484B58BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399911Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:42.533{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47AE0C2BBF1312AEC0AD009165647092,SHA256=36A7AB9AE5C6E6B6D2EF1AA9755D4C7E5160DC52A6D3448AD9B1786E9D93C99A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455091Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:43.937{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232C925D7326DF3E4CA25F2C8E18B714,SHA256=8EB315E71C7CBFF26EF268A61A486573780DA67B0B9688D3A2EF580E8DE9BC35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399912Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:43.549{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E5E2A504B318EB2FB4E4974CB6EAB5,SHA256=62A77CA17856E057FB6E97B2903EF7422B9C42950D550F85B98CF507AABC8393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455092Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:44.955{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61CB1D45059C1441C988C99569BAE6B,SHA256=84BCC1047420ADA7E56499BC0A0AC992BC0688203811FE01AF020F1D84F6F6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399914Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:44.549{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47FBB08ADDC84E76D179944EE3982019,SHA256=5BCA7BBAE83CC50AF94620DFBD6BB8DB414B729DB2AF2E74CEB3F4F32E5D7704,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399913Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:42.446{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54020-false10.0.1.12-8000- 23542300x80000000000000001455094Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:45.972{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECCC309D7693643881B67E68E28E4C0C,SHA256=F3094135D7B242062DBA6D20FA14134EEC39FF1B897DEEF53E4E092A517691A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399915Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:45.565{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7E09B2F7965D357E550F40DF9EE9C7,SHA256=4B2FF8FC94259C742D2BD89DB9D60FB0476BC95F8E0CD91B3AFDB71B5E39D474,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455093Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:42.637{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61035-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399916Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:46.565{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A069118945E184CEEE9CA539EFDAC243,SHA256=6CDC645C0D8DDEC331843E10E29FAAB2456F87377BB5862CFCDF33C0EA918B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455096Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:46.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D621DD90430080B69E45301B80EB1AB2,SHA256=FFFF0E94BA32B930A6257765FF487609453B31727E45C20323CC739F5FA99584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455095Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:46.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1DB6DCC0E9FCAE955183AA83E9C0AFE,SHA256=E153494CB82A80242E65E1CD620B43240849B5320ECB4BDD8E2C0ED98C57948B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399917Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:47.596{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B8B01F68E5651D89A86BC2B35F97BE,SHA256=B8CA35AD45D55B6B1328DE31DAA6400A0FFFAA0B28BFCEA71151C6067A92B2EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455098Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:44.684{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-59980-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001455097Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:47.003{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCBBF6E247D0C52A879C36120358E6C,SHA256=41F55161E17C999D126DB3BD314FFD0777C59615816562966513D487641DE18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399918Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:48.612{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B0D91E69F3EF69E58C946D16DB02A2,SHA256=69E69124F0318B7FCF9C476210E7010A932FBD64DBF8F18979A023E9F3E203DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455099Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:48.017{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28310C9CB4BBE9E093C45B9EEE0B06FC,SHA256=C5C0F28088AEAB674903DDF827A8308E593AA4C3019B371029B56B434099CED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399919Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:49.658{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF92E81B686093DB780EB9E6F9BD5A17,SHA256=B7B6649D33FFAA333D293FEC24CA12A67D643BD8FD7D5EA3BB97025C5AE98A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455100Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:49.033{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE13485EBA32A29C468EC39DEE688BF,SHA256=9640A820D90A6EF4D7D589F41049E8A9B6581955E41835E2F51E4F886953405C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399921Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:50.658{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090A37D4758B4AC210AA12696892D171,SHA256=534B824A34A2908DD7BB587D355174D8F92DFCBD713888E5BA17B033CE118941,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455104Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:50.468{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455103Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:50.468{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455102Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:50.468{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455101Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:50.050{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B4797E57AA30816DD4A020A12241CE,SHA256=808D340E21E2C7E054F83FF2BEFD9D236E31FCA843310AA220534E33AC1900D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399920Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:48.461{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54021-false10.0.1.12-8000- 23542300x8000000000000000399922Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:51.752{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011DD1BD8D422D2E98D28C9CDE73DEDE,SHA256=FB703434440D7C69357706326909BFF8D985A03670659A8356F081623D3CB32B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455106Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:48.647{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61036-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455105Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:51.067{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27778B3C63958ABB56C9DD8A79F856B6,SHA256=9C93376E501153299B5F5AD123D1F392F5D4D1264AC13F1A63876990361E68AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399923Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:52.815{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679FA902FC63443E83D9E3351D8467D1,SHA256=F0EBF6882CBA5B6A50CA66F50E779D2F714850A39E6AD3A2D72188150713FFAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455107Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:52.098{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0802ED0754B211B65E9BD277A7C0D8FA,SHA256=2C7420F0669E15FDE96AAEAA5C2FA299D1BB8DEDAFC68E65D69D2101EFD79A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399924Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:53.846{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F722B59BD05DA5974CA6F2AC9B089E,SHA256=123D386B14D287C9982F8947C42FFF819D2F5E282548146F948359C0D0D88D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455108Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:53.127{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB9BCCFF1BDA3DB61A8877D61E9F119,SHA256=1A04C8E1A268A289A2833C42D33BD78F99C9744C90F1293AD16D3FC6C45DBE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399925Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:54.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077A1893E201A9FF62FE101C2DAEE3FE,SHA256=E42945874D6135970F3991D8AC32E73EDAB453A297431F942BDACFF3C1BB87D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455109Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:54.196{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC374CCB9BEE9FB241F2EBC56969B2B6,SHA256=9D5EEA9B6D4197F82724EAB62DD48F45BA68803BB898EA1DC9C9EC25782E2C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399926Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:55.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A998939AE23037B526A1C18D9D0999,SHA256=D8A97917925B0B75DDDB4C3C6EF872FABBB5CE3B94480ED2A06780D153B4F5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455110Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:55.244{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF59300A7BBF49F1D6955E7BE0E23237,SHA256=F6E205E95B3D6893F6C26EFF8ED22B298217BD076F678995ABBD18DD3917DEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399928Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:56.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EC67B536F1CBC34AE793662349ED33,SHA256=4DEBB32EABA8BD77528D37FED866EA0CEB9C6801E7E42EDDB98728FFA2049A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455112Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:56.262{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E2BB4A2EF640BB058945D6616DD250,SHA256=8988F127D7E33C43AFBABAF28B56C2AC48C3D8290785C293C721D95CDBCC907B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399927Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:54.430{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54022-false10.0.1.12-8000- 354300x80000000000000001455111Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:53.674{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61037-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399929Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:57.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5334DB05A32FBFBF1B36337CE90AD5B3,SHA256=A2E443E4601966C31F54069C07AEBA1A351F9ACBC6BA22734BFCDA34AC6DBE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455113Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:57.292{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D2DC32BF696B8383541B89C0F34B1F,SHA256=5DCC898EB91F84803904B3B169236BCD828AD14A1D4A59520FF8482A4A1B163A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399930Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:58.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE69B939D56DFFA8686E8F1B33061DE,SHA256=7E15912802B4EB868C104986CDD8DFB44C84428FA07109BFA5A84A83E49C6B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455114Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:58.341{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4ADABA65500BEFFC03FF486877708B,SHA256=CEC6EA6D455A6DE0F379A1BF611009CFDCCE657F306EA600B0D0505B5CFB3FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399931Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:37:59.893{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6914B1D0889E88DBC68E9A9D3E27AB6E,SHA256=015B3227F2D9BF75753E19449BC5917D5DFAC9774E59E7F037C034BB0A8A5526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455132Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B37-60E3-5C0B-00000000D301}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455131Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455130Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455129Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455128Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455127Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0B37-60E3-5C0B-00000000D301}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455126Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.674{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B37-60E3-5C0B-00000000D301}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455125Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.675{D694AEB8-0B37-60E3-5C0B-00000000D301}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455124Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.359{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4633B2EBF4A1C1CB72F0BE24C33C126,SHA256=6420903FBA9E7C99D999189CD56A9003BFA46935978960A05A3C0F0145345593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455123Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.159{D694AEB8-0B37-60E3-5B0B-00000000D301}70644784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455122Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B37-60E3-5B0B-00000000D301}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455121Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455120Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455119Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455118Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455117Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0B37-60E3-5B0B-00000000D301}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455116Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.006{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B37-60E3-5B0B-00000000D301}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455115Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.007{D694AEB8-0B37-60E3-5B0B-00000000D301}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399932Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:00.893{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0BE50867D77966E661B32FBD3F9E90,SHA256=71E1A539BCCF09A4E86F8A781433B9E3CF4226DC674CB9ED631F0BB1E12EC6E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455143Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.373{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA57D276F51398B85BB6ECB75138FEF,SHA256=DF0B491C7AD9F925B77B876BF55A77E111F4E767C3482F7D2535B42F3826DBC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455142Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.341{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B38-60E3-5D0B-00000000D301}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455141Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.339{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455140Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.339{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455139Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.339{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455138Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.339{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455137Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.339{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0B38-60E3-5D0B-00000000D301}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455136Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.338{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B38-60E3-5D0B-00000000D301}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455135Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.337{D694AEB8-0B38-60E3-5D0B-00000000D301}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455134Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.058{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B4B6EF3EE2C5C4DBFBB7200F8A79CA2,SHA256=486293C2D7A0796D45216AE6902555AC94F87609A6775A4C9952CFA2642005DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455133Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:00.058{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D621DD90430080B69E45301B80EB1AB2,SHA256=FFFF0E94BA32B930A6257765FF487609453B31727E45C20323CC739F5FA99584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399933Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:01.908{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687F34084DD9925C073DEBB4D95A179F,SHA256=19951F7EF7D8512064CCAABC586F5AF1B1EA4D05E67388846594E6F3BD599A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455145Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:01.404{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14830520D8DA96FB07CCC075CD95A462,SHA256=98BB965D61DCAB3F84503C2AB8A3AEA4B86A0CACE52DE035CDB5C97F349C51F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455144Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:01.358{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B4B6EF3EE2C5C4DBFBB7200F8A79CA2,SHA256=486293C2D7A0796D45216AE6902555AC94F87609A6775A4C9952CFA2642005DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399935Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:02.908{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A9A111817CE7E30133E25BC711503D,SHA256=703B59CAE941BE531C71383C4733D87CD44D6F9EF799B7F4671CC5E0518B7874,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455157Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.988{D694AEB8-B3EA-60E2-0D00-00000000D301}9166272C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455156Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.772{D694AEB8-0B3A-60E3-5E0B-00000000D301}60481120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455155Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B3A-60E3-5E0B-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455154Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455153Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455152Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455151Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455150Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0B3A-60E3-5E0B-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455149Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.641{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B3A-60E3-5E0B-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455148Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.639{D694AEB8-0B3A-60E3-5E0B-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455147Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:02.437{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726F1C6AB35F5D71C9473A6A08EF882A,SHA256=EFBE1054293FA4F989E9FD185EAB4BED5F1E778AA9F2D06C056701281F3F92BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399934Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:00.212{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54023-false10.0.1.12-8000- 354300x80000000000000001455146Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:37:59.683{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61038-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399936Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:03.908{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946E19E4E5D0C78EDE7B21BDB78D3F22,SHA256=278AA3B09A180C22320456936E6688B34A10FCA22A2090741434C8FC33E6AC8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455176Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B3B-60E3-600B-00000000D301}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455175Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455174Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455173Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455172Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455171Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0B3B-60E3-600B-00000000D301}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455170Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B3B-60E3-600B-00000000D301}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455169Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.987{D694AEB8-0B3B-60E3-600B-00000000D301}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455168Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.671{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2E1879E39B24A1FFE2DA54F04A18833,SHA256=2420B6CBCB0BB3B6EC8EB6922B86BE41A56EA3609009326E106DB5981A35EDCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455167Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.487{D694AEB8-0B3B-60E3-5F0B-00000000D301}67562504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455166Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.456{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC62518E5609BFDB87B616EA662279EE,SHA256=985F1F1EA83D8BD625774073BF58D555660AA04B3855B118BAF38FBB77B7B33E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455165Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B3B-60E3-5F0B-00000000D301}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455164Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455163Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455162Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455161Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455160Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0B3B-60E3-5F0B-00000000D301}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455159Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.319{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B3B-60E3-5F0B-00000000D301}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455158Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.320{D694AEB8-0B3B-60E3-5F0B-00000000D301}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000399937Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:04.908{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E77734FA641A74062F2ADB09150164,SHA256=BE8B8FFA06780175AB7B91753A84C1511FC20A995EFECD44FF447D5364F7254E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455186Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.838{D694AEB8-0B3C-60E3-610B-00000000D301}52005424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455185Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B3C-60E3-610B-00000000D301}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455184Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455183Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455182Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455181Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455180Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0B3C-60E3-610B-00000000D301}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455179Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.670{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B3C-60E3-610B-00000000D301}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455178Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.671{D694AEB8-0B3C-60E3-610B-00000000D301}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455177Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:04.470{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D88389B2478BE8595F5FB1D92326221,SHA256=FC2CBDCED78BA4DB8583F19EC2E132358B6CCE691456BE411E94C740283150E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399938Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:05.908{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2300FC972331DEDC193001258DBADF81,SHA256=2F171F386EC04C5ED1283988366261FD0B088949786A18C3B08231457FAABE48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455190Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.418{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61039-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001455189Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:03.418{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61039-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001455188Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:05.485{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4577C632A2885D9C82D6AB87CD5F077,SHA256=996FCB7A947EE403CDCF07F8C848F446DC6DF90CFFF3519395E21F3D39513DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455187Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:05.001{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=861500B2274F989783BF3A1F1BAE3915,SHA256=9AC3B5BDE742EA84328F651C9479320A9D7F3445B604FF7F662C8EAF87E71FDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399941Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:05.524{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:884:baa:f5ff:fef0win-host-884546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000399940Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:05.243{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54024-false10.0.1.12-8000- 23542300x8000000000000000399939Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:06.909{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8C44E5E561ACD8FB49F76FF0595287,SHA256=E7C79B92684A58DDA0D7CC8725E5F38BB073A2AA480A013D62E1888635945997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455191Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:06.499{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9616447B73D708401C08E8EA6819B7DA,SHA256=BACD059AD4F94D1FB3DC99658420809855D2EEA5DD550ABB8B9863B813518702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399942Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:07.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800C7D6AFE8E8D584FD036790CC0D598,SHA256=AB65238E1D2B3AF7C95F2675E0F795E74413F6FED0ABFE50ABFAF5085CF2004E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455193Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:05.599{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61040-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455192Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:07.514{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DE91B1DCD08033D5058AB2746C9384,SHA256=E3B6BCA24720464F282A346E64A7ED2BEF51DAA6DB64BAFA9FA7E737B08F2261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399943Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:08.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1563CD7C9013C3E855AD3F2712B367,SHA256=5CBCA4D72826BD71F149D1967661412671F4F4030163A8532AC9FB597CCBC43A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455194Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:08.531{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFE5E57FEBE2F7CD05553194F796CEF,SHA256=BD5287384878ED006B51BD79CE529334E1F3AF00FECFDAFB960CC9566D454536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399944Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:09.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4E5EB3B5B1B2F35D7B42CBC1AA6DD5,SHA256=23FB750C73B07B09C1DB35512128CB51E5D971A04ECBF1BB21F4C744FFFF8CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455195Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:09.550{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF75DA99DC42E5D4A1189482268BF38,SHA256=007E5F1C92ABA7DF85AE62EDB5AAB7E55192D602541EB96F064BF3B261D393F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399945Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:10.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABBADD6BBD91F15D559589B59BCB9A4,SHA256=942AC8DE539DCD993C627461460EBC07FC2A0CB8BE6FBD95FF5207D17FE85DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455196Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:10.564{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9B2DFE24BDE063C7D1201F1927E92D,SHA256=76B23E7DDB6CADC492D36F73DA5BDE913F50564BE911E33CE7543984C04E42D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399946Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:11.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C67F5E9AA63D2423391D5BB10083295,SHA256=140223CA45C38C825649580E36C051E23E78B8978B18D1B04090C4B04B46AE4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455197Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:11.579{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36CD3A2B0C959549F3FD37CAE6A0D5C,SHA256=FB7BF2FD957828D862317FFD760825EAAFE1F0794A93520E8AAB93D80531E7ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455198Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:12.593{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FC1B897714A1C57329A975377D9EE0,SHA256=0B7607469E318FD0D6D16F31FFD027228995D5522F9397AFFC04BFEE0D08E51F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399947Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:12.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59896D2BB8D070B688A88557AA0275A5,SHA256=08B1132F5B4C6FC1CB15C9839CC7332E36F26A48025B9E460CD629056EF5FF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455199Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:13.625{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FDD9D7860CFBD30592297A32FCFD4E,SHA256=478258761E3985FD47ED7A9099FBA61B98D9398937EDD4D7339109A0A0126493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399949Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:13.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B35EA5D36C6553F20F4D641BB9701E,SHA256=83C2577A2B9D8138694F7BC68CF8851AB28E0FBCF666C9BA57B12E6933B12EEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399948Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:11.227{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54025-false10.0.1.12-8000- 23542300x8000000000000000399950Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:14.940{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C6C0F2FF10954542766C098426BBFE,SHA256=02C86DD634BE1F1A5D5E27CB9EADF3D78E0E7E947B2D9A436EBB6F63BF31CD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455201Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:14.659{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BFDC9649C740C31298F3C60CA050395,SHA256=B8823751988F3482892AEF7F087A9BC9BB4BDDCBB66FADD756D3CBB840E441B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455200Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:11.593{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61041-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399951Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:15.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34E37333B15A86760C1785AA65D1797,SHA256=9D2456E7FCB6F37AD7B4564607B282A63A03252214545B0DA550171FC93F11B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455202Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:15.689{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AAA75073D4239864C65C8681D69D7A,SHA256=13782C51628E79F935253BDF7B6919F15F533DD721263F721D803FC1B8BF2377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399952Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:16.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62DA39C5DC01CF0E14816BDA992AE2A,SHA256=BAA0CB7449C8F4BADCF2B3971DB6CC4BB1D13769D18558BA169A21193AFF2A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455203Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:16.722{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323C855ABECE00667AB07B2F4654FC35,SHA256=ABA9375E67F3A36D3C3D4AEEFE3F0AFDA7D5D14EB0B5F587F95D47E43E73CC8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399953Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:17.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6AD8EB2D119CA26286E5732C4F3A21,SHA256=F7FFA53EAC73910A80539A3C9034CA62210A54AF311357A4F846262CDDA454B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455204Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:17.740{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=115E7BB6DBCE1C355E53952C4CFA49F3,SHA256=21D7A165F9DB6BD9D88EBC66E8B22BB4CEC5149C1B68DCA537FEF976C51F101D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399955Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:18.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6301BCD4D4FEC06F3C9649CE9D842D7A,SHA256=EB83CDEA17C0B2B2E8210BFEE2BE6664E99E95581BA24D9EE9CA2B9BB2E38229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455205Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:18.754{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE4336D3ADB081530877D2DEE48533A,SHA256=A4E19BABBC2D4A3CFFF93FC9F0716A8A621F702838101B1144107E1BDF923569,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399954Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:16.228{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54026-false10.0.1.12-8000- 23542300x8000000000000000399956Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:19.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FEE1EAB0A161F5AB2EFC283F3CB1A0,SHA256=8547BE1241281B666380C6E4E6E41B99D1D00A742359A6E96D8CB26123D41CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455206Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:19.784{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458873E12D5C1F0B7A7ECCB51F5A89D3,SHA256=FFAD8FBB52C4CED9078FB2DFB9E55DB1BE07AE4F7A10F2FD27B7C501F6A1B358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399957Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:20.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83E85251C9261CB48301C35BC02AC9A,SHA256=C2AB044F85F759A41CAAB533FB716EE14CE81E5D999BE6B885954129CFACF4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455208Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:20.817{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5063A4AB763D61B515B53043744390,SHA256=DDA126245B39B6842B5C6A722300F17E74FF3CB78B6164A16A080EB980C8747B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455207Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:17.586{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61042-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000399958Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:21.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1BFA3157B4AA96550AC615B5E53421,SHA256=E43D01BCD2F240C22B0DF5C02208E3A5A4B96CAED99D95B1A25A2611EACBF623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455209Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:21.867{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6692CB74662A4A89B381E871CE8C9BBA,SHA256=2310368D4CE63A10E09FB6BBB8BDB1B12E0F731686EA1E5D6A14643C7D8E72FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399960Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:22.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D30BF4D31E3B038637890B51A23F691,SHA256=78A72D7701AA5F0090D6C93BF3C1AAFA9E3E827C2B0774CF6C1D8AA857B4ED2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455227Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455226Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455225Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455224Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455223Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455222Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455221Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455220Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455219Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455218Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455217Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455216Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455215Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455214Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455213Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455212Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455211Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455210Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.881{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7E4370A5112D82A8FAAADBD4628AA6,SHA256=E88DAFE217C9BA882F036A5199781732C526C76BA08689B2BE725FF4E1624ECF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399959Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:21.446{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54027-false10.0.1.12-8000- 23542300x8000000000000000399961Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:23.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31363F6DE8B0B507A84342CCBCBF3B65,SHA256=0F1B89E67C9CC3DE43A8BD0748C85233A7072204ED72A43399EF4560EDF0FC69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455239Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455238Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455237Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455236Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455235Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455234Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455233Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455232Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455231Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455230Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455229Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455228Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000399962Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:24.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38ABD895217A15445FADCC33AF70810F,SHA256=AC0D5263809A453FFD53EDFDA1D4ED5E1EBD1B047D81DE074D56CCEFE35064C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455241Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:22.659{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61043-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455240Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:24.233{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047169369BD6072FEBF9C28C45CF03C5,SHA256=EFD1B0DE19E2481184CC07ACFE812CBF95C827196AA5B47BAB6748101A2495BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399963Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:25.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD4D298C382E591E376997258FE820B,SHA256=E439FA87A8D859DA53EB29039028D664A00CA247781B87049FC4E4E584CF6482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455242Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:25.247{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905C77E5E350EEC42902E95BCBFFC485,SHA256=ABF10D81FE22466C0E4E0EDA4EA3F4037F7A37D67CE4E4EBEA78E40CE3537A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399965Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:26.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FB57F818B582F14840BDE2BF2F0424,SHA256=1057121F3126B9E60D65D9F38167656C6437D2B612D5C12787D45097BC0616E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455243Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:26.248{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC315C2C04CDC527AE38B81DBE673BEC,SHA256=ABEF78011F50196458E26CA1C2A56DA720E9697132B1266F0B087C47ECC13CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399964Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:26.377{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=902E9866D43E5B9FF877D6306B6CD9A8,SHA256=9669ABCA525AD26A39EA77715C3A375129B7AA9B5A22EBAD0CD416B71418638A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399966Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:27.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E441D5C5C81FCFA0F87032A35F63F530,SHA256=5F37268F3A2789B84675A3D4C77542BD8449B111FFFC20C0ABC3D8F220EF1840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455244Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:27.262{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89C3AB0F815A21B05246673B2B4D340,SHA256=673668321EE415F2529FEBF682742E4D8A85D74EA08BADE0FC5661FCF4C4919A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399968Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:28.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6000414D5BBF9143786A8000181852F,SHA256=EE23A389A507A04083B9AE90C10253624EA490822DA7D500CD44509252C7D0BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399967Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:27.462{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54028-false10.0.1.12-8000- 23542300x80000000000000001455245Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:28.292{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E365C44CB1787D50B61C85EA0289D01,SHA256=B441FFF6EC014934B9BC473D92F2239AD5C61DC0A3A84F858FDB671CA7944493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399969Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:29.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EC548739C5458298F1DB823A59DE1A,SHA256=B51B46289595219CC70F4829107A09300BBF3A8907EB2D8906B782B1359C76D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455246Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:29.309{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486CFE7559FAF3F998D558C1D82A2FB6,SHA256=A717E3C6A6FBE4A2DC5E6FB1D6A9100E7C3592022287C61839568B284602F46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399972Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:30.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4616E6501CF85B25DA6D050D70274D,SHA256=D59195FC4E703E1AD0B3D437BDF432596A1BDE0992CE7AB980A9B0C219765520,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455249Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:28.654{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61044-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455248Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:30.712{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455247Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:30.328{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8772134E91D3CD872AFA4C17588BED15,SHA256=FF50E9489EE0194B93E99C3EA8C8811C27388461245B9F055D48F1A3817E4EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399971Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:30.799{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA3C5CA62C84BC81C638F90B2C44DBD4,SHA256=3E98D77023B12F199BDE50660EA6DFF4AFCC85FD231767368ED29FBF3000FCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399970Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:30.799{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A150A6690B723DDBE207227EF6DF8F89,SHA256=FC3E36BEBB3681963671C7125F9E594654CCBEB0E3CF79ED240FDC6553E8CDBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399975Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:31.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390A74FAF7DBFB203DF4B3D3A0D6FC12,SHA256=745741420D4F609CB8E3078DE0E122B063B1A93C0F83913E98166F54B15D3BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455250Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:31.359{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59CA3516A1E50774A75701BC64016B7,SHA256=FE21216AEC029C34B8C362890CBF071AC079439605D2CF81DA0B96D67002E4C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399974Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:31.377{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000399973Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:29.737{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-53172-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000399976Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:32.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854102222D856D881F818EC484A23025,SHA256=23737E19205D24A2FC38629CB062A46739FA4CEAD4EE55CE714A9488BFDAC496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455251Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:32.373{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D31CF9EB5B025414C4EDC42716E9F2,SHA256=02267960BF1F2276DC06AFB5A5AAB8A25705ED12545397C542DB93D4A2197940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000399978Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:33.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA553990F11BD25A209495BFC40A320C,SHA256=F5F6284B6A1A8B3565A22DA4B10119D57AA3D6AB2E4B8D1BF2EBF4DF0A71BE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455263Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:33.387{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94BFFDA26F47F8F6B24A89615DEAA66,SHA256=A0093FD80DCE7AD66514CDB1E9960B0BC54537AA676C1827B8782AEC0F7761E4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001455262Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001455261Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01559f52) 13241300x80000000000000001455260Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719a-0xaa39b7d9) 13241300x80000000000000001455259Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a3-0x0bfe1fd9) 13241300x80000000000000001455258Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ab-0x6dc287d9) 13241300x80000000000000001455257Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001455256Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01559f52) 13241300x80000000000000001455255Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719a-0xaa39b7d9) 13241300x80000000000000001455254Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a3-0x0bfe1fd9) 13241300x80000000000000001455253Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:38:33.387{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ab-0x6dc287d9) 354300x8000000000000000399977Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:31.572{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54029-false10.0.1.12-8089- 354300x80000000000000001455252Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:30.153{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61045-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000399993Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.971{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC7E3421ED699B5A66C78E3000440C0,SHA256=65767F9168B518C61B57452E23A191B7572753012EF5D85D6E7C6A1AE3E9A71C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455265Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:34.407{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55311AAC9EA8B5175E920A77B389EFAC,SHA256=6D2737BE927CC744900C560C886AB9B62F1C4149AB11B1A2D7D55F514692EDB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000399992Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B5A-60E3-CA0A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399991Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399990Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399989Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399988Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399987Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399986Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399985Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399984Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399983Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0B5A-60E3-CA0A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399982Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399981Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.674{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B5A-60E3-CA0A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399980Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:34.675{7F1C7D0B-0B5A-60E3-CA0A-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000399979Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:33.462{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54030-false10.0.1.12-8000- 23542300x80000000000000001455264Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:34.040{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BD02450180B5F8BC1F855BED1F58E93C,SHA256=136BDB6406B82642600324F52803CE9E2766BB7E4945A7DD487C4123C7DA183E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455266Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:35.439{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B9BEA72CAC659936BADCD1B823B894,SHA256=1BE1C3A5B0EA4992726AE8E8707C07C26F6EC4F7B9265F33AE728CC308799C2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400022Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B5B-60E3-CC0A-00000000D401}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400021Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400020Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400019Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400018Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400017Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400016Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400015Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400014Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0B5B-60E3-CC0A-00000000D401}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400013Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400012Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400011Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.846{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B5B-60E3-CC0A-00000000D401}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400010Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.847{7F1C7D0B-0B5B-60E3-CC0A-00000000D401}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400009Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.815{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F696D3EDDA4222AABA47A0BC68085544,SHA256=F588BC98E9DCC11951487A115EE9053BB1202207AF2A596C89D1D52E25313B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400008Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.815{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA3C5CA62C84BC81C638F90B2C44DBD4,SHA256=3E98D77023B12F199BDE50660EA6DFF4AFCC85FD231767368ED29FBF3000FCC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400007Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.596{7F1C7D0B-0B5B-60E3-CB0A-00000000D401}26241440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400006Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B5B-60E3-CB0A-00000000D401}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400005Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400004Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400003Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400002Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400001Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400000Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399999Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399998Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399997Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399996Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B5B-60E3-CB0A-00000000D401}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000399995Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.346{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B5B-60E3-CB0A-00000000D401}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000399994Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:35.347{7F1C7D0B-0B5B-60E3-CB0A-00000000D401}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455267Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:36.453{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2656AED3576F5D7DBA5852317BBFDB,SHA256=7CD2E242C57095239EC0AD08A100B89919BAD23EA2DCF05FAE419F8165CD369C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:36.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F696D3EDDA4222AABA47A0BC68085544,SHA256=F588BC98E9DCC11951487A115EE9053BB1202207AF2A596C89D1D52E25313B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400023Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:36.002{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A4013B254F06406E231E5B74DBC431,SHA256=7246ED6B13252B4B596BD98A2F51B12F5AE37DED3AB48F66F77F708092FFD207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455269Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:37.468{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB8055CBC17549E9077098137CF6307,SHA256=C288F4400411F9E968D74B8778562C7D15064CFC1B62C68EDC13B45F2D7B29E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:37.033{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6519B52E1487D5CEE4CBBE40C83F183,SHA256=CCA0F19F173D0A51368D5616B4050935CB7C14DA2575D9039B3EE3C89C569C0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455268Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:34.685{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61046-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455270Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:38.482{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D09660EBBBDD54C7159A6B43F7C1CD8,SHA256=8D96EE2D378995D32B1E922C667C21B283E004BB2B457636E5A110134DED8E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:38.035{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271ABE1BC781943DDCC604591845F640,SHA256=7BDD7B296E8E636683D9E6124BDC9CF2176E19D64F843D7A910740CCB6424F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455271Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:39.500{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6197115B0254E82FEEC1145DEC8E32,SHA256=7972F41B46FF68F765AA02FD1F0CFAE7310616EC11D03A53384F8E6DE91DD0A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.987{7F1C7D0B-0B5F-60E3-CE0A-00000000D401}82832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B5F-60E3-CE0A-00000000D401}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B5F-60E3-CE0A-00000000D401}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.815{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B5F-60E3-CE0A-00000000D401}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.816{7F1C7D0B-0B5F-60E3-CE0A-00000000D401}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000400041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.345{7F1C7D0B-0B5F-60E3-CD0A-00000000D401}20961076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B5F-60E3-CD0A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B5F-60E3-CD0A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.142{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B5F-60E3-CD0A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.143{7F1C7D0B-0B5F-60E3-CD0A-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CFA676C2AAABEE517F76C699D588FDA,SHA256=875BE67A0FCA237B18CF1558C305BA1E02AABD15FA44C3FE273F98860BBEA8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455272Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:40.518{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54001DF63F8A078900765498740ED17,SHA256=82FA793952744D2E358D3D29287E59701EE12966753F299DD5C78FC545D988BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B60-60E3-D00A-00000000D401}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0B60-60E3-D00A-00000000D401}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.987{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B60-60E3-D00A-00000000D401}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400072Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.988{7F1C7D0B-0B60-60E3-D00A-00000000D401}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000400071Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:39.399{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54031-false10.0.1.12-8000- 23542300x8000000000000000400070Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.549{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95CBF8E4CA561825D6C5E2AA5EFEA383,SHA256=BE160B56FE0CAC899A2DF86173DB55383ED6FBDD5424EFF07223B17CA7E61412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400069Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.549{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65FAED0551FABFBEFA5DC828AC55554,SHA256=1625C647A190AA34761FC60F9CDCE268F095FD0FDEDD96B6F7585B4C4C20CBAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400068Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B60-60E3-CF0A-00000000D401}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400067Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400066Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400065Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400064Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400063Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B60-60E3-CF0A-00000000D401}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B60-60E3-CF0A-00000000D401}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:40.487{7F1C7D0B-0B60-60E3-CF0A-00000000D401}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455273Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:41.533{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9F475D2BC87B7EC11C91F0BBDEA058,SHA256=0FB6A58C1BB27E9697F17F879E65F1BFF02BB2E4C46B2F2637F686F71BDEE9B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:41.737{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80493CF73BBC7EA7FF5BB941E5618A4A,SHA256=74EE044A409090F9BE56A470E2F6E4D05C8E8B2AD0822D48ED2A604BD1789556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:41.502{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C78F919C669313214B676F3F5330888,SHA256=F3605D4B2B642140C7FE458BD539C69051FF24791542D1CD730BFAD11838A488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:41.190{7F1C7D0B-0B60-60E3-D00A-00000000D401}40723352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455274Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:42.548{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C43733EB8AE4B36D1DF67074275B8CA,SHA256=FDC509726D5F2524EF156375EB0CD1EC3412845D328E9DFBE1EE73DED5B1C645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:42.830{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA290515A3019DF35A52EFC4E73C397,SHA256=EBCA26B5A1F3821F93A58198352CE5C1077F75406769B99BBC837360069022F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:43.846{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6B1308E04E227969D440CDDDF54413,SHA256=C4F0992DAA113462F95492F0D665CCC978310F5D4C8A2611D92CAD0BEAC1DD2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455276Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:43.563{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C559083F03ABE009A0AF1A9E3EED4B,SHA256=6705721D44F45EDF917AB42A2C3911F10F3F4E583C165D9FF83BBF6199A1C7F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455275Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:40.695{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61047-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000400090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:44.893{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2148AD7AD47F2274A4BAB9BD6BDFE88D,SHA256=3968EFDCB1830AB7821E297125DAE94221C39B7700EB68016946BE07EC859CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455277Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:44.577{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE751A5B11B9A267131ABFA1C4EF660,SHA256=5EDECADCDA57CA5DA9EC25C619A06AF02929F032D5F0B6994413EB375A320B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:45.893{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05ACBEA11D4A894063D38F70D994DF4D,SHA256=3D31C4BDF1A1650407D6E28077290BED4FB21A1AE5F923D6FCB407FF1DE8A8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455278Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:45.594{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C825C0CB9C0E7880AE2605B32521F7,SHA256=829A469A7B49E56D49C29BF6D4AF8D70AC675AE3CE3B53407D5E307C36B12B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:46.893{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473D7E682D04A01CD0A65851C2FFC100,SHA256=A1038CC7D6DB11B89931BC3223B905C75E723E1021F6C7932A98A92EB0043B5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455279Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:46.612{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752E02B6C52B55A4369FCB8FE357F1E5,SHA256=3B1DEEED8E3681B5A095E65112676B3FA80AD9EB45078696138412D1651BFC70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:44.415{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54032-false10.0.1.12-8000- 23542300x8000000000000000400094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:47.909{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=690938DB8A0D317E8F3A4177A89A53A6,SHA256=E59FB4104EB6A2D4E4588053888B180D00F64029726A85167305FF05D9DAFBD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455280Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:47.658{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2486347D25B38FC07CE2CD51D3C86BAC,SHA256=6951390AC73E95F83175D0348FA92AC08985182B98FECF5A29BCE30F072EDD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:48.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A91481AF662C91D0A4202EEEC08209,SHA256=12DE7C4CAC58F6060816BA23CA4ADE9DBB0313141976FF7FBA611130A037D58D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455281Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:48.695{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB727913807B2EB24F2290993DE92778,SHA256=F7BD2CB563EA13817C2A4D7B83EF7661E6A06BF7848B033A9541554185F8FE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:49.710{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD09C83DD38BCF308471271C82E31F4,SHA256=6728C8A74F1539543E9E04044B93A0D08F2B09C92AC8C84D2660C11BDC7A9937,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:46.674{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:50.724{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64152D421DB90288F6274D11FC7398B1,SHA256=C3F38DDF7EA9F93704BEB89C2C63634182105D21714E92E954F4D4649E6D4741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:50.002{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D89DAA2C06EB67DC8FCB2AE5205D33A,SHA256=39C3E83D457ABE7E60727B1A68AE47A76A7D349DE1D45B4A4815F3E56D858A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:51.739{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E2E352E84204FBBC65BF2CC963A4DA,SHA256=DE73B9860443924193269E188279434807D923FDFEE13519F1B4321E9BB98C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:51.002{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C2B73678DD48620B9C1DF66D0F22BD,SHA256=E3911966F1880FCDCB73EE9ED32C6BE31343279CD0C77573BA18990CE586EDD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:52.769{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8500A66DCE3925C47A306B7F8DA73A3F,SHA256=ACA4805AA5BB021808F42742C0B74732114689B5358A05874648642DF83AC5E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:50.416{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54033-false10.0.1.12-8000- 23542300x8000000000000000400098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:52.002{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C418368C44D107F6B93CE43E772A7ECF,SHA256=8D3B05C20C69EE833593B9973039716A1F6207477163664BA47378D0BD9C11FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:53.786{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8655F10DA84BACC95E134C865725C0DC,SHA256=6A1D43B8C2CC6826C69E3BA42847957B11953393ADB62AC86224E679CE96F452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:53.002{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCCF7A32A4462EE8E9503ECA9A640C7E,SHA256=598EEEC47FFCCF770D283DC30C7BF935719DA1309DFC57D50769441DC2DDEFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:54.804{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243E218B09BBBE9C0FF2A8190FFC3AA2,SHA256=8B73E8B6A326E6311129F0E1172CD3F8F6A1136F95BCF9192E1DE561EB8BBDF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:54.003{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21277029DDF07CEC0AD113CD6DDBD282,SHA256=92B5D68422EE9C2852E11A7E360BB7CC1F400CE3054AC860B54844574F4F84A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:52.684{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:55.834{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC46429EEF9EBB18946831C02EF6F49,SHA256=82E231D50880EEA62960964B254A277B3FBBF701D157C357889037F0C619A00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:55.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E69A61B930EB433608FFBC97013752B,SHA256=F4F714B475C12F1EE8104D2ADCFD8E10D2E4824B044FAE4C608EC08C0FC59529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:56.864{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0C8FC3CCBC8866D4F918359EFE6F67,SHA256=F62844E44C5939711B30E264BD9414C3998F22C738588A5F4F12905B81605364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:56.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C63F3832896AE2DD0E4705C0D7EB53,SHA256=AE91A3009BECFFE39F713C8930A6EFCDA6E8B7831A82DC3950A2F7AEDD4E3855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:57.881{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A273D555348EA0A7AA696E9609F9C8BC,SHA256=13ADC1573447C767A0E7470A07E4561A5ABE50F0CADF96B3502F2D2D5B65F527,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400105Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:56.400{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54034-false10.0.1.12-8000- 23542300x8000000000000000400104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:57.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0CECA7467C7CA5C1CF952F3C18C330,SHA256=C2E0B6E7F404043528E0D7738ACDC2754470F3FAAA8B78D2CAF1075A69FE694F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.900{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4917371E8B52F9D38C96C9BC2D34F397,SHA256=53D28CCAEA850C9470D7C6ED1455F4DEDB89AE21C056EDC20F1985DF88FF37D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400106Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:58.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5248334F2E36EA590D8B438FC7275050,SHA256=4C76C1871EC56613B79D3F77065A96E1B393BD12ABC3BC0CABB687D4EB0DE00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.915{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB80438CE07553481C1FDCE612A2551,SHA256=022C703102B3FE180CB5B87998FD9E17539E32744FC3C2C9700749310F648692,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B73-60E3-630B-00000000D301}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0B73-60E3-630B-00000000D301}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.514{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B73-60E3-630B-00000000D301}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.515{D694AEB8-0B73-60E3-630B-00000000D301}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001455301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B73-60E3-620B-00000000D301}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0B73-60E3-620B-00000000D301}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.999{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B73-60E3-620B-00000000D301}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:59.000{D694AEB8-0B73-60E3-620B-00000000D301}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400107Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:38:59.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7571AF6F7003D21494174ACD95A6311B,SHA256=0C89ADC6B283249990A5D0D30E51F2885DD3FC43444945A8C44A759D1A7BC676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.961{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B596DF3B47AE39F8EEE3768DEC3C82C4,SHA256=D919FAAEB4B2F1BB588CA7264B607ACBB9EC00AC8F1F75BEF86EE1D87D9C613E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:38:58.677{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001455321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.345{D694AEB8-0B74-60E3-640B-00000000D301}62404496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.183{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B74-60E3-640B-00000000D301}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.182{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.182{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.182{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.181{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.181{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0B74-60E3-640B-00000000D301}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.181{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B74-60E3-640B-00000000D301}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.180{D694AEB8-0B74-60E3-640B-00000000D301}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.030{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF6E714044225D4E753C5A8F5AC583CE,SHA256=FFAAC59756CC8EEC3627051D5D5FC65DCFA87818D807CA7635A4A80680D2F5F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:00.030{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73783C3B65B6CAB0584DCAA6A8FF2A1C,SHA256=FD0F021725182956D6E604716D4737ABAB420E8579FEE147D369B4E33D19B65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400108Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:00.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BF87BFAE3F73D2348A5489C8958A34,SHA256=B3B6CC018DACFBCDEB0441A931D2D11B6B44845FE9EF3A596B77E1475F6884AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:01.979{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5CC9F7915AF04239E3BE85ACD288DB,SHA256=A3116591B8DF3190A44E07D897706EBCBA5146F70A6352736BBC9F18D6B6E469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:01.198{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF6E714044225D4E753C5A8F5AC583CE,SHA256=FFAAC59756CC8EEC3627051D5D5FC65DCFA87818D807CA7635A4A80680D2F5F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400109Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:01.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D1AE45D66704EC40A3DC4B2BB4BD8E,SHA256=C884AC81D5795847F484BA5887B8D24121E24C7C7BCE3B633BAB632AF7BCA1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400110Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:02.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A225E35EA0833790B85F66936B080A4,SHA256=4D4BC4E61F01EE415DF8566E143F8CAFF16C94C8D341FFEDCB50F83F16BD4D2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.828{D694AEB8-0B76-60E3-650B-00000000D301}69283148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B76-60E3-650B-00000000D301}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0B76-60E3-650B-00000000D301}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.659{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B76-60E3-650B-00000000D301}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.660{D694AEB8-0B76-60E3-650B-00000000D301}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400111Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:03.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FAA212216456E65F79B3187B8EE9DCA,SHA256=7EDA5B624D957F548F002CB232EC750646951A2210F326BC48AB337F85E04E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.677{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=486E338CE0E7E0BA87983FA3D8558F25,SHA256=E2086FA4224CB98F123E33A131A622E77971CD621482A0038F756C40528F2EED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.459{D694AEB8-0B77-60E3-660B-00000000D301}64165704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B77-60E3-660B-00000000D301}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0B77-60E3-660B-00000000D301}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.327{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B77-60E3-660B-00000000D301}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.328{D694AEB8-0B77-60E3-660B-00000000D301}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:02.996{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FAA144879E0896FA85F649699133A5,SHA256=173C4981688E45181F087710BD0E5FD083A21FDEE6BC28DF5F3D0853C1A802C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400113Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:04.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E575521836F8C5A6BF34CFB1B21A3F2D,SHA256=AE0241602998985C87790A4CAB3EB8A8489569600C5ECAB23DDDC691C05CE9C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.678{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B78-60E3-680B-00000000D301}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.676{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.676{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.676{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.676{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.676{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0B78-60E3-680B-00000000D301}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.675{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B78-60E3-680B-00000000D301}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.674{D694AEB8-0B78-60E3-680B-00000000D301}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001455355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.143{D694AEB8-0B77-60E3-670B-00000000D301}52646660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.011{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E86D8BA0BC5E1672A2D43005BBDA6A5,SHA256=3E3D5A37CF74CC8B579DB1560191AB33EFF02B639C968325AED53ABF389951D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400112Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:02.385{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54035-false10.0.1.12-8000- 10341000x80000000000000001455353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0B77-60E3-670B-00000000D301}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0B77-60E3-670B-00000000D301}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0B77-60E3-670B-00000000D301}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.996{D694AEB8-0B77-60E3-670B-00000000D301}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400114Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:05.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521755D67662440145E9AEC339AACA4B,SHA256=6E74C298330DB76F644275FD1A1C9C82D2529A8F7CCEE2ABF93678FFB8F9D037,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.421{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61051-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001455366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:03.421{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61051-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001455365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:05.027{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B2BABBDBD31B7B1E61895131F74852,SHA256=EE447326C5A207D06F4D9E1DCD84BC2109442DBD9A7E2220966FF2D45B2BB8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:05.011{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A509638B3D25AEEC98AA041647A160DB,SHA256=E5D662674E19201EF304BE4FD280BEB2F7AE9018A10297179ED7481471990825,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:04.673{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:06.041{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC4083D79940C2EFCDC8D2C024FD234,SHA256=5308C990C9D1AADF99044795CE61227F913353386E55DB3780B8BF85B1CFD29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:06.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B62A7DF0625EE880125E25EC478966,SHA256=DDB1AA67F64C31CA7E93D113D86407F69C7244B99E52F644A9C0D8111EF05F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:07.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C493A966C62C106FC94DC2A04D527FB4,SHA256=A91600DE05850FBA018664717B2B6F87C3233AC480AADB0A85D9BFEF1A70CA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:07.056{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE684CFE0B2A02ED06AC1FE92856D8C,SHA256=F4D9165C5A8C8F6297C1527B9C1DE92FB4B5F28D0366B7BC3420DF2359D8EB18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:08.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308393E9E490A40F9D6F37A29651C124,SHA256=A1058AAACD204ECB83CFCCA3CE2F03FA6D719FD587BF1B8D0F286CF431DE38E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:08.056{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106226BC5324880CF4113E8DF76D7B42,SHA256=7EBA8031F0A98DA9A99118CBEF86857283FE04A9C151C4C02EE475D402AF500F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:09.068{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45431922AA88D00841FEE8A08F1069BB,SHA256=6C98D6A371B0EB209D808108AF4FBDD5D0F5A8DF4135A1D4D1DC53DC6E0B68EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:09.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309A70CDB98D4916115CDEEB63DF6AEF,SHA256=31735085F5892B03EDD77DB6997DEAD0812283F383300B67BADFA0B1C00EFD68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:10.085{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDAFF2BED888ECE6EB34895D16EB0CC,SHA256=CF79BA249F32865F69EB02FFE832730140192C6DBD68D9AAEB94742D304A9CA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:08.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54036-false10.0.1.12-8000- 23542300x8000000000000000400119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:10.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7406D6D0F78EA17B3D191DD473BAD943,SHA256=EBCEA95FFF459468EA1AC334981949A335F195BDA3566062DB5E31BA401DE077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:11.104{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D821009726965B053795B4F083F138,SHA256=52F5F74C4A6BF926AB08440C7427DDE068FC36DC1D97F5DB8A3635E0C26F2FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:11.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8799015C8489E790A30A1D18B80FBE,SHA256=77BFDD219204F83E2BA90BD5D8A5ED4A0F33F73307B79374526ED25F08FDE360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:12.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60B37F1504B0757B30DEFC4B24F875D,SHA256=5EFC034D4AA0D11B8C21A7D6395A8EF2DB79EBB7FA659329931A3943FF421520,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:10.666{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:12.134{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7B372CD55A95AF73EB95DA57C01095,SHA256=83A6D4C6744121132EE0F7A432DA4F6B574B3BBF8288C20C538460A0153A2E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:13.163{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D00F94507D302AADA69106EB9169EF5,SHA256=EAE5A841AB745179CE22B93EB9AD0D3731F53BCDE84E5FF9002BDD5B45590230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:13.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53BA67BB223CB64780DBABC9F833EB5,SHA256=27A3E80FC693CE25385A00F1B0B13F09DAFB376C8C70D81616330D6019FBF98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:14.181{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DD7786F874051E4065F2077168B391,SHA256=DA72DE53E418D4DBD6F15903AEC67778368EC2C919980AB792A877B843B5E759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:14.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4237D3B3D751537A6CCDD4FE3F8E82,SHA256=72438A7B8767A54F96E3FF7FB82E0D10D5D268C87357F8FF3D6EB08F2B40766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:15.199{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDFD2160AA927D5FA99FE2ADBC7C99A,SHA256=6733A7D970A6160B950DCAB595AD0A5D4B045B7AC2C5CD840925F3669C6365A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:15.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559FBF2F4EF93A73D0D6E3944102FC11,SHA256=FF846F954DFC2F874E5A70A584EDC70F8C756E19BD1C0C99AA1637F52A5D6D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:16.229{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8543C23949D875790FB76B76255D33AB,SHA256=DC676B1309866E4BD7A423498237C3484049ABB9CE2C59D698FA23148A038B00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:14.400{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54037-false10.0.1.12-8000- 23542300x8000000000000000400126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:16.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75FD9FEA2F4B1B452E26BE479EBEC0D,SHA256=2F0C7B4A0B60B564E3BFC2D5744BA067AB08813239BF32288DC0FD2E5BD90997,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:15.675{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:17.244{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91A47A126AD0518690973FFD035082C,SHA256=F778DFBFDCBC513E0FA4D8EF76A37A47C5890B588AAA56ED6C5D131321935354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:17.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60BE0D9B50ED90F63CB4D8F82F1F1D3,SHA256=810C53ACE9E735BD726F1E964685F35F802574ADF01F363E782487749C0DC28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:18.258{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAB0D9ABB2E31E102D36FDC680135BF,SHA256=C11E8B304E004584CED9E14B78AA49C3FAAD3645215E4A84C7C0F9A7172838C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:18.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5B429B4BF54C5716E36FDA05E867E1,SHA256=8A8F4E3439258ED9071711D7BB5903DC8CD3EDAC512D6F22EC02DF8FF9E26B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:19.276{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425DBF08ED9A943FD77765FA14118227,SHA256=2F900931CD79046E37269E5A2A2BA9028A028A710A61169D42C704078F25803B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:19.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DF5717E80785EE1DCBEA3B3A164CFA,SHA256=B4BD774F016AEAB0EE959830A6F1E16B03C7556F431E852D12041C0739C931A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:20.293{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B3CA94C78C82D265A0D2B4B0A62C5D,SHA256=9AD6624607E13749F37397C989C2AA9AB361B37769F406496B57701B79BCEE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:20.034{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804A2510322934F3CDD91B8D6535B3D8,SHA256=B1473B3F3E2DA2068959C85AEBC724C9F5D57B3ED12CA1238CEB26FF024E7437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:21.323{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1815A2C16BAF07180C6ED6CCB60E3458,SHA256=D0037BF97E2B6B4C58E403D7C6544D280C3220CDDC947904A275B4C86D639AE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:20.400{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54038-false10.0.1.12-8000- 23542300x8000000000000000400132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:21.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2F9DC38C2BED970E5208E55EB8AC0F,SHA256=E5968ED8DAB46785476FF65727A54A6F7DE4A078B45F33C05557BA6E57DA4302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:22.353{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD6F4127C3FB4C33AC7333C6D6F779C,SHA256=194011C0E58F4E2CD70EF31E863FC7D93894DAD856FBDC64713039E8282A8BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:22.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0FE96CBC14F7EA4D3BB3F159069B1B,SHA256=B3AA2D67E671EB1DAC17C02937CBED4BF2CABA3594E66D0F12CDD37816B4EFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:23.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1A855BCE176D7380419F7E9990F608,SHA256=DE3270902DAF788144ABB197F74573B8E10A1D8A5223367E7BABC9C3F240BE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:23.370{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67FDEC0B482BAE7D042C0408DA14BF9,SHA256=390F56D10FA4B807B255D32C20196CB0F0480BAD936343515BC461F083B66B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:24.388{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E2BFB3FF40E360838E4D22133784FB,SHA256=4ACB4AE09869772FE1F92313A9222D28F677BD00925D1418667277CA9BC8066D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:24.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97848C3BD435510C775100F765CE7E4,SHA256=9C7ED8BDA68F3AC5BB276824F348F76EC7C8818506B9978AE528BD463B3A4BC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:21.637{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61055-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:25.418{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235F155690888CE21C61993EA7B02A6E,SHA256=9351EBEDA6FE6D45F3C4DFA7B743F856EE9B175AD46670EB773DFE4056ADB608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:25.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27926605AB625D1D3E7F76E3E1FCF988,SHA256=A14D6C58F4DEDBF2F85D1A349E3D05D6299950F1A173D5FEAA104A7860E57B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:26.448{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366D60E7652ABA8194341A3181322F87,SHA256=93B80DA3E8BC8E6F0794CA106928B737F9A44F467118300EA4B2D9C6A07BB93D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:26.377{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2C4C5B18C005D59584FB2E13988B46F9,SHA256=A1849A9617038EEF9E5866D6539953324321721C723164CBAFAE58935CCDEA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:26.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C67D1E6F1A8CA8BC18CDAD6140BF419,SHA256=79A510260431F0E5A56439B442C64DFAD9C29BFF4C2E8312536A1233BB8C6D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:27.466{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC367DDB7B9AA931712EAC23B91F6741,SHA256=35786DF85633A7A7879DAB8800D6BC132917CE1094EE54E4C341E87159039D6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:27.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D527CB6A6F1A10A313CA9A5C9424A293,SHA256=DC54ADE4593D47E73155E1BE9AFBAF5276EEB466559EB2605D79056D49EC947F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:28.484{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6745365CC866F6E74393ED06C5558F9F,SHA256=9E58D2E6B42330562FCCE4E50FC5BAA985F2902965065F2CF98361628CED6C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:28.440{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8187819DA526A760C132205E8C3AA130,SHA256=BC2280F90AFE6FC120CF79117A6DDC3C4FA60C3091CB312E7553E3F797582E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:28.440{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5AC05053FFDCA81B98CE269433E67AF,SHA256=F6504BB2A0973786CCFA375D0527359DB70E3C1ADC005663477C493D314302F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:26.385{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54039-false10.0.1.12-8000- 23542300x8000000000000000400141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:28.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D6E476DDE80DE4EFE8D7F29CAD236B,SHA256=969DE065BCC846A357C25D33A435817E758B0A830AE7406D261B49535178B258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:29.514{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BB2EF1C6401AFD9E7C51E39E137F62,SHA256=34E754E4291C3959E9E431B9F2CBDDE55FB8D6F864CB535710C826BB4FBB393C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:27.428{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-40301-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000400145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:29.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D3453C0AF5CD7135D785617FAD3837,SHA256=41580B9F001448E6E0338AD8D0DD21222316D84E2C1F7EFE37C6A87B294957F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:26.648{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61056-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:30.729{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:30.529{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DAD7E7A1F5F9F37420CAC3FCD24054D,SHA256=A9DF1250D5C07DB5260FD13BB0F8EC5B002F0C4C486DCCF440BAE733BEC85739,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:29.109{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-52670-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000400148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:30.174{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8187819DA526A760C132205E8C3AA130,SHA256=BC2280F90AFE6FC120CF79117A6DDC3C4FA60C3091CB312E7553E3F797582E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:30.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E06E287D6EB40AF396ABE8611E781F,SHA256=D83997EA648B6EBE76992F01C30B20901C94F5D3EEE43605FC88A4F314FC6F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:31.543{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81817A7BC30336FDBB8E33F3942D4B40,SHA256=D4B4D16F9E0760C71F6FF23D6EC0E026255ADAB7FDB9FE78A9A1717995371A76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:31.393{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:31.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECBE2F795F4F4C8F8B8BBA14D15E3296,SHA256=9508951ED843DAE2A5C1D06AE8813F1C86A365F81A52233AE2996D3A77F2DEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:32.563{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C22FF5A349A2D4870B1512AD5482C8E,SHA256=4789BC647EE391C32CE23A2F8727024A22D5668401E00FD8EC5DB8BF3BCE0767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:32.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28372DC9C92D7E09DC1CAC866DA94DBF,SHA256=786F5FA8AB5C0D47ECECCB8F3134555D87270BECC1865BFB837ED20A24369609,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:30.160{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61057-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001455402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:33.579{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63CAB87907D69ADE1308BB890CE2FC5,SHA256=447FCBB40465D4032D5B6120C4C5CEABA3451DD1E62D11D2167085A7D6F60D95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:32.385{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54041-false10.0.1.12-8000- 354300x8000000000000000400154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:31.588{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54040-false10.0.1.12-8089- 23542300x8000000000000000400153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:33.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4EC932CF752CE82A20AC74AC39FADC,SHA256=59E585F4F64F40C84EFB6125731FE39F364E964FC1491367F60B3657C6E4A229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:34.593{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49FE73E36275CD2F5D7DD6173F99936,SHA256=1D98BDA8ABC9736751761CBCA115050390E195D119DF5B964E3B72553893194D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.909{7F1C7D0B-0B96-60E3-D10A-00000000D401}8242692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B96-60E3-D10A-00000000D401}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B96-60E3-D10A-00000000D401}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.674{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B96-60E3-D10A-00000000D401}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.675{7F1C7D0B-0B96-60E3-D10A-00000000D401}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:34.065{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44EEB12EED194D3804F53FC64C3815E,SHA256=064A044A7EF6101A3D3B5B2A4DB68545CA0CF0E8E9BE4B9A3A0B843518E8C7F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:34.041{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F0AD75086C90AF9BD6C265DA7DA54681,SHA256=744B5F36CCB794B22982F8CE0326AFDAD704F71A961190FC24231302639718E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:35.608{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92D0A25CD8FDEA2BE5E45064992B657,SHA256=C35A29DF895027E0BD21D83559FABC926A416CEFEE293C4AD3E24B941BE0B9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9A68BFD843A3CEE44F10E2C3C5B1829,SHA256=5765C954E10502E7E122DC0D03CB89C3F23AB7A3DC166D036C5498B672FAC179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B97-60E3-D30A-00000000D401}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000400188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=439D4BB7F799DEB5CED12403A27D08D9,SHA256=AEA35FD8528A7C2C9AF04D109E5D7CD1D25CF5660D1E6DAF1B9D02566CB39294,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400187Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0B97-60E3-D30A-00000000D401}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400186Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.674{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B97-60E3-D30A-00000000D401}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400185Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.675{7F1C7D0B-0B97-60E3-D30A-00000000D401}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000400184Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B97-60E3-D20A-00000000D401}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400183Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400182Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400181Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400180Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400179Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400178Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0B97-60E3-D20A-00000000D401}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.174{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B97-60E3-D20A-00000000D401}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.175{7F1C7D0B-0B97-60E3-D20A-00000000D401}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:35.065{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9E7D305A729CDEE445E5B6DFF35C3C,SHA256=31ECCEE03AD53251CC593BEE4218053E2CCA09806AD484F3697639FF37E1FDC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:32.641{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61058-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:36.657{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B93AE8A2D8B6983937A0FEADB6737A,SHA256=6354D8B05DE927ABD613F01E73C68D833AA893416DF391DE97BFBAFF13624A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:36.690{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9A68BFD843A3CEE44F10E2C3C5B1829,SHA256=5765C954E10502E7E122DC0D03CB89C3F23AB7A3DC166D036C5498B672FAC179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:36.174{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE615865DE040D1D950D2E792B02BB46,SHA256=71B7B61F630DC26D0636A7F04259E49EEE6F215C71C5AA98DC2E7DBC0D5334D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:37.674{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE70E4AB6177B344129896A086AE4CA0,SHA256=C9A1D55C7CE2B6B529018FE7D4E98EE5A5755E37D6AB2AE1CDBA02549D17BBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:37.409{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C100DF3B4972EED09CD9B7ACCD7437,SHA256=95E1E7C1961091479DAE09CD00F4220F3694AE0AF4E7D3A3E72ECEBAAD47CA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:38.720{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E776FFACFB0265B819D215A07D2A13,SHA256=6589E0B612455088E30CF6398E8B24C628558A37FB61EAE3F5C3248A4438B7FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:38.409{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FBF231A4BBFD58EA200BA0E6737A5B8,SHA256=968DD76DC56CF4BDC150A75186601D7BFA828E480C29AE82AAF75D95FD724135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:39.753{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378C8068FFC61D45546147756A69BBB3,SHA256=9537F25B9893D49860C7165DAD8686DDBA8EE17291750C88C70253E94E882F66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.814{7F1C7D0B-0B9B-60E3-D50A-00000000D401}8122700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000400232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:38.401{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54042-false10.0.1.12-8000- 10341000x8000000000000000400231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B9B-60E3-D50A-00000000D401}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400223Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400222Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400221Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0B9B-60E3-D50A-00000000D401}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400220Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.658{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B9B-60E3-D50A-00000000D401}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400219Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.659{7F1C7D0B-0B9B-60E3-D50A-00000000D401}812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400218Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.458{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691F281CE5E04C8809C66BEF218753AC,SHA256=A42FF26E4E2D987AE8C07C30092409C921C1D74FAA6911B4282FA719DEDAC34E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400217Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.380{7F1C7D0B-0B9B-60E3-D40A-00000000D401}31561452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400216Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B9B-60E3-D40A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400215Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400214Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B9B-60E3-D40A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.161{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B9B-60E3-D40A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:39.162{7F1C7D0B-0B9B-60E3-D40A-00000000D401}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:40.770{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0265E4DC41BA727049444A4D4DD853F8,SHA256=147414538F7C0112D12609AC1E1B738C68ABF87358F73552A22E36C903FB5240,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B9C-60E3-D70A-00000000D401}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0B9C-60E3-D70A-00000000D401}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.988{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B9C-60E3-D70A-00000000D401}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.989{7F1C7D0B-0B9C-60E3-D70A-00000000D401}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.800{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D8FECEBA02E8A3BA0ABED0C2DC2880,SHA256=8D676C66FC7A8CF1F3409815F92B398E51DA5D55590EB376F434D132A00B88BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.585{7F1C7D0B-0B9C-60E3-D60A-00000000D401}15362704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001455411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:38.634{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000400247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0B9C-60E3-D60A-00000000D401}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0B9C-60E3-D60A-00000000D401}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.314{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0B9C-60E3-D60A-00000000D401}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.315{7F1C7D0B-0B9C-60E3-D60A-00000000D401}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:40.220{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F73A603EB4F387D92F3F2099558D3F9B,SHA256=8A7DC8130834B8F2B3754D8C87A393DD18207B56EC0F57D66BBE18DDFC261BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:41.770{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D27351D85AE60EAE4070A3A3ED212B0,SHA256=07F9FED482BF44EEC884DAC6DF7E79FB3168286495B8D470FC4DD107F5BF621B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:41.644{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83C2FC592F6C4D2E2BEE2EE6D16F5F2,SHA256=91E363FD2F3C71D3B5DDCF79152BBC750F02E93F6DE7984BB2521505BE997918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:41.394{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4406419E43B553D53AE4B4C2D17757DB,SHA256=98DDCB1021781AAB8EC8AB989F68B7D59B06CA08FEEEBCD5467DF5EDE6CF8C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:42.644{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990C2625C29F7AB0D3EAA92147614926,SHA256=7A70593D2C479106A7CD7714D25349BD88F4AA1BA629019A93FE51B0980540EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:42.771{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368E93AF2DC762AEEBFC7D8815EE78FA,SHA256=30F5D887CEAEA39E1690D09DFD5B6A9EA6E92C2ACB0D25C4D12879DDB42DA075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:43.722{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4A4636AFEDCB86D32E7337283612BC7,SHA256=638A66E4DC8BAB006E2A8946AE39CE8CF8A3F809751012FE770A4B83F5033538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:43.802{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE95ECE80EE774270C2181517324BEF,SHA256=86839E68A5B185B44198FE978012C98CC27C2195AB0F65A3086A7004DAAAA1A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:44.816{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61D248C087DF807C1C9BFE42ED087B8,SHA256=63D3EC3A2AC8B4F185F2FB761A97816B7EEBC922AFF287EB8A16989D5CB7D834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:44.722{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540584C453F890D82409A8A1FCA7CCAD,SHA256=F75E9AD55695E6D75B5C830609D1FC08A2DB91066FB2E5BAC4D5D8D64453F0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:45.831{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32719921130CFD69D20BB715D3141A68,SHA256=0375629FB1B44E8D252AFA84C136F0B64A3FFEEF584F1C32F42A15AB7F55643A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:45.754{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5381EF69405D6C8FE77E7DF5AB9A3314,SHA256=6C16E26AB7F646CF4F0BD2C8B74CA2911ABC0936331E80EC67F1B76EC259E380,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:43.402{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54043-false10.0.1.12-8000- 23542300x8000000000000000400270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:46.925{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF551737D84AD40BDC6FE442721D82F,SHA256=DCF871AFA34CB4696A5E8F4A5092FBE2408E7423CA733388E3F7D431BEF6CFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:46.851{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0CDEA690AE1B2CD4CE4AA96FFD737A3,SHA256=EC2720A0B20C0E2BE1BFA7712CB14E0694430B1AC4737F9F7638E0934EB9958A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:44.631{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:47.866{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3652D1FBB0E02FFD4BB4FA11F07DA1C1,SHA256=339797439F9BAA8F347AD474C71AE0B35F1BE227EB3AB80E3CEA6B4671E4B0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:48.896{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F341003F22E76E8FAF13586EBDC2E935,SHA256=669E19D7E30F1503B11B28BF4AC9795CC4F618524B1BF3FD625305D12C38F007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:48.082{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D270A94494D708F8254426911812436,SHA256=A91F7DE09DBC7E92699803A9B6627765CA42C8AD09F7140A6E88B751E7DB8493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:49.926{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECCCC76F257D4EF3813D0E3FD4017B5,SHA256=DE1EEB350FB888CD29009E8B159BF6EACEADF3FF5E07813CAD879D268C45062C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:49.082{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2664BFD871F685D4ED4301038D5A2247,SHA256=0800D382ADD331B4FD5D29F5CE4062A8398896598C56DAFEE798863D5FB31C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:50.944{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C11A63E269AB245805334804AD0DDB5,SHA256=71C6408BE1C0E6194560644BBB77225C0A6088C69758997EED8E7704B063A9BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:48.402{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54044-false10.0.1.12-8000- 23542300x8000000000000000400273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:50.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996EEC530032BBC43708B4C6586AB6DE,SHA256=90532FBD3F93F9DB903AE1C5325F9347788AA4629229B449EBC711C3BE7A89D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:51.961{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8B3FC81B568D7BEEDEABE39021F07B,SHA256=B3B26FFAA9031C54BCA7A289D4760D95211FC25936516B8DEFE7E2EAECFD214B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:51.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44773D98E8C398A65298C6314B130FBD,SHA256=73C142A73C8A561744A39ECEBCE9A31A5B46E76FEC048B7197185A12E6AC278E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:52.976{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A326AED2433AD53A870F2B6F1855B1,SHA256=DED321DE8CF5FCF1289DBEDC5B5BD6C416F45D27FE882951EF2259CF4D90BA8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:50.656{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000400276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:52.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD52EB0BAEC0201E91742DACF92E154,SHA256=7D7861F6E09CA6AE5FEB5ED909E0468FC0318D5951FBF7854FECC70CB0C078A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:53.992{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929F31F58621180133C74C0ED870BF21,SHA256=A1105340604BFE1B36E073D7929F797B7BCED00ACA0AA3F70D65D6F6703217BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:53.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA806D80F3604DE928592932086981C,SHA256=3E90617DBBB889662F9D70E1A92E4922471EA38E7814B8FF2C1C219BF07160C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:54.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F747A8FCE6951ACBF997A65AF38FBD57,SHA256=076A9AFF9A40A7811D4A6A50376FA801AC30DF948F92D2D357E60E98F6000548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:55.006{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD7C95553B3338D550762A9F063B0D6,SHA256=091F586376360719639EB339AFDB5A16F67AEEBCF1A77566B415419845480305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:55.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B611F47D0460C86A60E9C21E19270DD,SHA256=5E1ED1B748DFDF7744F64EDD1F124D88CFF5C429E6DF106F33A22B2C0DF5093A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:56.038{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAFE7F4B8BDD48C8C62D3B07EA6BBF30,SHA256=A81EA59822F2DC7385C140C4A22A2588EA0DD5E19BF4AA35DED263A205BD6296,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:54.418{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54045-false10.0.1.12-8000- 23542300x8000000000000000400280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:56.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0326B55C79017AE7C380A15B200D87F9,SHA256=D5406C09356AFC6D40634CADFBA9D1FAA3C2062CF304C40668B086692AC8C240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:57.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689D8FC773325D81075EE214BE8FB58C,SHA256=D710A524E1DB0B58D4E07E20BCF01161537DB7D565E96419CB0A5F41A39006B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:57.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEA622D9BF6272C5C9DCF0E84C45141,SHA256=D5008CF510063B3C4720C57E0AF7635E89B66E1D05E01D470C67796CAA4B6C23,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:56.650{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:58.087{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A790E753422D6AB03CE2AE70D83E8B2,SHA256=CB8D48E9BA7AF27B979A00D1849DA82C46B427CD6661C0F3AE5A4232E5E079A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:58.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724939E0877688065DA6850CAFCC0690,SHA256=3A09A6AF19702A100FE5FB5EEEB45A57552D37AF3AE909C865E074FA9CD9CC63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.854{D694AEB8-0BAF-60E3-6A0B-00000000D301}33365432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BAF-60E3-6A0B-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0BAF-60E3-6A0B-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.701{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BAF-60E3-6A0B-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.702{D694AEB8-0BAF-60E3-6A0B-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.117{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161170FF21EB4E0C559BE33E209A747B,SHA256=B84950E2D4F3D1F6697E5C404625D1E98A50C537D7A1E39F3A0C9F08EAFE96C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:59.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A8EC25DB52E2CB0EEA9548AEF9C1DB,SHA256=3CC9B24F609E9B9BC8C642676D032BB16D1F8F777630FDE1BE358B46650496B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BAF-60E3-690B-00000000D301}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BAF-60E3-690B-00000000D301}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.017{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BAF-60E3-690B-00000000D301}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:39:59.018{D694AEB8-0BAF-60E3-690B-00000000D301}6352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001455461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BB0-60E3-6B0B-00000000D301}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BB0-60E3-6B0B-00000000D301}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.316{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BB0-60E3-6B0B-00000000D301}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.317{D694AEB8-0BB0-60E3-6B0B-00000000D301}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.185{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3070201650B264CA05D66B60DC250981,SHA256=309C6C81D1DB0DDBAF953ECFA5AC03405F11D31A3DF64E53C2FF55AB5A0C8556,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:39:59.449{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54046-false10.0.1.12-8000- 23542300x8000000000000000400285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:00.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7403E0636843516F5E9E7E89202A17,SHA256=8F5DAE0BC03A9A5749038A022326684663DC3F0E5E210F68B80F58C42B9A11BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.116{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B9B737EDA71035CE1943E1299D3B975,SHA256=9D7149FB148AC5D3CB9A7BA302537FC2AAE6EC63B55C8404EC84CC291E25E785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:00.116{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB84C1E193E5FCC4708DC65569E6FAC9,SHA256=5F13050EA779B2EB8DE9DF9B4581C950B5604E3E5D23CB2FE4BD956C32F25A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:01.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37626E4051B67DB5C21832350C490D6,SHA256=477647C45012AC04EF0E7DC52056C4DE5311ACAB70BAD059A1FCC3C8A23375F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:01.352{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B9B737EDA71035CE1943E1299D3B975,SHA256=9D7149FB148AC5D3CB9A7BA302537FC2AAE6EC63B55C8404EC84CC291E25E785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:01.215{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B04858B632DF2EBB4D701F5F2EAD5A2,SHA256=B14798EE88F36A88ACFE8F429BCCCF6C14534AC31126216197F3B8A5DDFA1925,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.683{D694AEB8-0BB2-60E3-6C0B-00000000D301}46324596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.535{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BB2-60E3-6C0B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.533{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.533{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.533{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.532{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.532{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BB2-60E3-6C0B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.532{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BB2-60E3-6C0B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.531{D694AEB8-0BB2-60E3-6C0B-00000000D301}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:02.251{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C9E8E6B369FD261B3B9C42D2C9062D,SHA256=05AE3715602A0E77D0CF12091CB128C331A4AF77751022A1E950757004240449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:02.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DB41679669E27FCDE0B1FC4D02E22F,SHA256=D4E6B35F18C6577CA3CD29DBC9CE84BF663F60DBFF1770F820B851C5ED2E8E4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455493Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BB3-60E3-6E0B-00000000D301}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455492Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455491Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455490Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455489Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455488Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BB3-60E3-6E0B-00000000D301}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455487Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.897{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BB3-60E3-6E0B-00000000D301}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455486Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.898{D694AEB8-0BB3-60E3-6E0B-00000000D301}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001455485Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:01.660{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455484Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.551{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D89BF3D34B80C6F6D190B63A2DE13E39,SHA256=76E3194CB41E54DE6B10EE8E843AC5D23CAB2605338A9210F56EF4C80F9FD676,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.398{D694AEB8-0BB3-60E3-6D0B-00000000D301}40844520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.282{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1476C1F06C9AB0FB9BAE010DCBCFE5,SHA256=4CEFF08CE008838AF499EA603DD0F1F1A8B3010FA2598A3B17C0C62A04AF92B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:03.097{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99793D9B76A26967F5E1A9022362AFB,SHA256=2062B7C41B5C0F4162D87735CF6B99A7D61B3F0DAA63CFB6560F175CBD5D14CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BB3-60E3-6D0B-00000000D301}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BB3-60E3-6D0B-00000000D301}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BB3-60E3-6D0B-00000000D301}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.214{D694AEB8-0BB3-60E3-6D0B-00000000D301}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001455503Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.734{D694AEB8-0BB4-60E3-6F0B-00000000D301}68043168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455502Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BB4-60E3-6F0B-00000000D301}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455501Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455500Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455499Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455498Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455497Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BB4-60E3-6F0B-00000000D301}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455496Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.581{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BB4-60E3-6F0B-00000000D301}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455495Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.582{D694AEB8-0BB4-60E3-6F0B-00000000D301}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455494Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:04.366{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478BC42D1C1538C3C1428617E73273A6,SHA256=C73CD8F8297D199B76775EC0C47641CC3CCE30D35F4D476F83EA85BACC257E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:04.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127DA1BF6EFC8E5AA532B694C16DE811,SHA256=F8CAA885CD82050648633991F4F437A754ECC0A6CA13B85586F877F58615B1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:05.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B469EFFA71D55945B61D49B86C6880,SHA256=FABB6F1EE7A594853E6491BF646A7D737657879DB71D86955EB96F3ABA5C338F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455507Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.433{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61064-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001455506Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:03.433{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61064-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001455505Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:05.380{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E4857B8A9236F8B60627432E36CF6B,SHA256=8E111332C20E8F831B9E789603AA42071E58B88B68F70417962D3E09E54D7FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455504Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:05.080{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=772307FC162B9A335B567B78D160A7E0,SHA256=80165C5619FBF6206B28922DBDB0939D9231493C6753D71CAD3097628188981A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455508Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:06.395{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB38DE2E16E3ACB20622C3C4CA515AF4,SHA256=15255D05D141A94704635E5A296CA158377A817F1A258655E68760D9816FB744,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:05.465{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54047-false10.0.1.12-8000- 23542300x8000000000000000400292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:06.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983B0DEC66E246BFEF099439BFFC633A,SHA256=3E54E1A6890D0E462C15E35485BC5A7B0ECD333F5936F13F4AC63D6053714075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455509Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:07.427{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4CEAE5CB7086BF7D066A2D247DF006,SHA256=6D54CD8C3C45A75BD516BC3C59288F8D513B51C36567AAE6943B1D02C22D5518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:07.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FD2464932ED8DB5BE8E9F01F01C237,SHA256=D2124A181BBB15EC702F992C1F8B32FAD184888C1401ED67E220C0F17032F23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455510Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:08.446{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646A169A263FC9B75DCB149CA844DC7F,SHA256=0B046BE9E834D3C5FA837C1DBBD5B40B6AA9D186E52CE801F829949E4036F304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:08.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E655E62620CD00FE290D5202C4371ED,SHA256=92FBAB01A6F750FE2996D4C82A64810B387E2E0D1685742A76335770FCCE9904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:09.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84256201FD70C5B093AF89B403766B0D,SHA256=DB5FB4723EA8FCE74F1FE4819AD6C910FB7316BA0179D42D34DACC45658BE8B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455511Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:09.461{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23004EE45AB220CF7B2B6147AF2D539,SHA256=2796428016B5777EE4A0C820C7F830210E54859ECE79AB541B9646C403AB29B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455513Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:10.491{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E1235ED73E30E3FC65F01F7A8E693E,SHA256=BA7CF3C7667EC7A35EE425411BB906D895811BC04BCF1315254F65627B42D72D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:10.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72BEDF71DCCF6D3476EFDA7357BBF5C,SHA256=4F66DCE0DB582411FD25AA1D007010F0AE4F7E5BC81754F79D8D0B872E6BFE50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455512Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:07.655{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61065-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455514Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:11.506{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=031CF584BCF7CC6186376DF4F5AE0F02,SHA256=0D5902696135683FF108A2715BC9B7029957851324B52CB132A33501745730FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:11.144{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7B8A7F924D444F0AD9E219B3FF31E1,SHA256=FEF6215E9C4762D2497B9FC909FF776C1B0C6031E7A781954CB5740936D8B548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455515Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:12.523{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AD3510E8924325EAA0E08B7C3827BD,SHA256=6627775C376B6E9B0226F27ADA0E4E379D449736FB7C9EE0ACC0F4934C346D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:12.144{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5FF2D7B8E32B4F57875E24B2C17EB3,SHA256=732C0910215762427BC1A930B1A55B8A8C702FFE808AE23CF1095C6998153F93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455516Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:13.556{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795DB34110D49E92B8B24B7F510ADC2C,SHA256=4036D24EFC0FDDE4DD38B9B6E1FED5CB6959A0C4284B3B4D03611159253C20F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:11.311{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54048-false10.0.1.12-8000- 23542300x8000000000000000400300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:13.144{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407DB2E7383E6FB1F50B9A6EC9F40EC6,SHA256=3B683B00C936B613C1CDD54E911D97BB609CB3310F6CE26AC048EB7F374E2F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455517Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:14.558{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF86D3AB0D89EA9C3F76265AF9880BBF,SHA256=ABE9D6B6A8AA13ADAD6931A77AEE7EE1DF37E0B45F8396583AE884007C348D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:14.144{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7179DE8C1147721959414CA3166A3D9,SHA256=8B3BC952FF555D999B8F3F26A03A179A255C9CF886897516514859A53ECF4501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455518Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:15.573{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79F2423B631134B28752D75AFD98422,SHA256=3793AAB595B9D2F1F8A4D10FE4C5D02E2AFF07F356F0AB424C49B067570ABB08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:15.160{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95FC88BF200BBDC20FAB8A0800161B91,SHA256=122992A68497923E13573F09456A7D98FF9258E46A0A3026F4DA1E5393692419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455520Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:16.588{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5233AA272461BAA9C51AA414CE223D9C,SHA256=0FD2BE31EF2C97425F20FA65742B467886C4135E2778717D26620975CA201EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:16.222{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D5C4387C1839239E9CEEDF0BA7366B,SHA256=C9FEF49890EA160826E77C5D5127951525C5DF031B3CF3FC3B47FEC4FDF1920A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455519Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:13.652{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455521Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:17.620{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3719EE48918AC9A4C4560DB4CFFC7928,SHA256=3C8F7BD5E5DC4651D82820FC46742D1A8CD876A28F45ABEBD045A48C338DAD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:17.222{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E597087809570DE7CE77EA0A9581A77,SHA256=1987D645F3A1DBCAC3B1618DA3A6C9C1FA7C22CEF51B4B4429FF0C1D176D81B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455522Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:18.639{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F4541FDA2CB47F720C614F6E9B7399,SHA256=D5F8549272E01A19066682F472B794E5FF9228F2413052D70927B689EFF35FD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:18.457{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC572F89282000426946EB9F8A77073E,SHA256=03743A177EFD49432C436B1845734E6E0B8AE70EC113FE98D6DD1544A0D95D98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:17.294{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54049-false10.0.1.12-8000- 23542300x8000000000000000400308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:19.691{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE0166C38D7B36850290E2E390357C6,SHA256=5BBFA04880CD6FB2BE4496F15DF5FD6168906F9A8B5A582809850EFB0D36B52F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455523Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:19.654{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884AB1988406E76B8E71DFA64676760B,SHA256=8E60C7C9FE2AAD86F817E55C497BEBBFF7758F9434D6C6D35FE7103C9F7F111B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:20.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222A2AE543606558DA508F13381A2BF0,SHA256=3B78DD2A69B7B690908E70C41121D8E2E4EAB6BC1E9B0BFB25CD0BE184B225F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455524Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:20.684{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD112750065906BE91A58EA5794A5BB,SHA256=2B17D2AD496917415EFBD9B3BD15C70B89C3C1C06C717FF69EEE3998B5B54F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:21.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBD4090723CC9E7237789F7C88F0668,SHA256=27E0E8A3CFB57D587B8C78ECBD0CC49FA40CE024200B9D25096B02A6CB35180A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455525Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:21.716{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE3D4CAA4032A62A144F7DC569786A3,SHA256=B581C1AE956E9D6EDE09996DBC8BE9B3A248F6E612A1A334B59F60C7AA60F75A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455527Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:22.736{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA3A000A8BF0C9C178E62732FDAC5BC,SHA256=06BD590666249D8C21017919BC255E7044329058F697EBBB770AA176F746146A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:22.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543CABBEC5BB3A033F1162150CFFCC50,SHA256=8DCD48B646F330F24C065331449BC5080770E18091FE32E104913C38DC630ABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455526Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:19.665{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001455535Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455534Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455533Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455532Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455531Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455530Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455529Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455528Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.752{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68583C66992A091A6726D427458B710,SHA256=874558F2414AEBD00E6CB892A011EAF8B1739A724811436ECEEBAF3CBB34B7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:23.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620637A7C24AE1FE702478C690F59C0F,SHA256=CBD549960B39A767D6EF901030338756A7D38CFDF603A37DCE9382E69AC43110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:24.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878DBFC98A3DBE1E651DF8D371D0FD81,SHA256=04C82DB9680118A886B4B3F05870B0D6A02D9EDA8C2C9EC79012E519ABADD57E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455557Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455556Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455555Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455554Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455553Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455552Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455551Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455550Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455549Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455548Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455547Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455546Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455545Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455544Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455543Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455542Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455541Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455540Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455539Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455538Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455537Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455536Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:23.998{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000400313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:23.262{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54050-false10.0.1.12-8000- 23542300x8000000000000000400316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:25.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931BFA6E58DBB535FE06B1BC10FFB72F,SHA256=B154F4D72EB4B6C08E8301419A3394A81C0D5E719A7D54653BB23E275D8DA862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455558Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:25.251{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE2724829282F9539E27742A7C5D41D,SHA256=E294B1F57527B73FD754CF26F990FE10AE8344B96F6258D02055A44A4843F095,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000400315Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:25.816{7F1C7D0B-B3E4-60E2-1500-00000000D401}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a3-0x4f80ce79) 23542300x8000000000000000400318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:26.847{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F6FB4546143A14529B36B876C849A9,SHA256=6208FF564BB676264ED1B9D3B40F8DAE78A10194ED200C6E6EE44C3616FE49E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455559Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:26.266{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD77A3590B56C8718B9E5F863FE18CC,SHA256=0555658D1393BFC050C642A38A3C9A4C2C08134FE85079511DF0D7B1D2C650CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:26.379{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1754BDC2F974CFB414542D1657396275,SHA256=EDEE9AE5F582FDFDA4B943F35140BD8DE2DB4C4023B2A9C54415981F148C41E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:27.849{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A06DB8195345B240FE9579D901B95D,SHA256=81E22373F194935F3138E11FE48F338F699849870DB454EAE26F8868E4AF4C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455560Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:27.280{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0C13173ABDFDFCB74AE021DA2C1991,SHA256=1A18A858D714756C3D3CCFB029B7B1E2BF36B2D32E068C7E17146B520D93F12B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000400328Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000400327Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x015770b7) 13241300x8000000000000000400326Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719a-0xeec93e6d) 13241300x8000000000000000400325Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a3-0x508da66d) 13241300x8000000000000000400324Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ab-0xb2520e6d) 13241300x8000000000000000400323Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000400322Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x015770b7) 13241300x8000000000000000400321Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719a-0xeec93e6d) 13241300x8000000000000000400320Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a3-0x508da66d) 13241300x8000000000000000400319Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:40:27.786{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ab-0xb2520e6d) 23542300x8000000000000000400331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:28.911{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269EECE3BE950CD05069B466EDF65939,SHA256=3B0749857C59E11C1C996B1708AE3E297090168BB8F9C1E298583E8F711A973D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455562Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:25.696{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455561Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:28.312{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF14BE7609F8243D8FFD3A3726C9995,SHA256=420DC152458B1DF352818F9F7CB905E0CAF0F1E845E1F9F0CA0B4C89D6981271,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:26.011{7F1C7D0B-B3E4-60E2-1500-00000000D401}1036C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000400332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:29.942{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41025E9A11E098A7A1C093F9019331D,SHA256=90DF4290324910B59A2C3F1FB3900B22134D1D41F8861C1E271FA76F4CA08D80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455564Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:27.342{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.47.130-63239-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001455563Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:29.331{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6384ABD0992EFABAB50E6A3C1FCD8742,SHA256=9C020BEFD1BC5FEE752440966C7FDD32E5BD9CC46653B5BA0B05AC27F295861E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400335Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:30.942{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700BD500F3CEBB9AA3E7E553B81E819A,SHA256=FB4F1821E37E2CFF10B6B111402B4D1CE9CC368F2E5619999227A0B969AB805E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455566Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:30.744{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455565Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:30.345{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CA74EE842697FB04FCC6149D97B128,SHA256=680FAE662674069457AD628AD77BFA262F13CA27E3AA8CAFE9C87F154FEECA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400334Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:30.599{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BD81C69C825AF3BF91F5A6D462C888E,SHA256=3BAA9263DCBE6B1EB0D62DEE23ED0B3B38DE1FC4F41507B6FF1EC6F8D939B86D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:30.599{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D377D3D3440048A8B855B56B280035CA,SHA256=1923D76D4AF05ECAA840814A46F93FBEF7F2FFE321C1888346F16A61DBEE963F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400339Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:31.942{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903F898DEDC43C31D1415EDA9EFB7F1C,SHA256=0E29D872D3F0EC338AF6359231DB76943E4870DF1DC0B5140E8F46FD5DE91D94,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455570Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:28.709{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-201.attackrange.local51504-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001455569Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:28.709{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64422- 354300x80000000000000001455568Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:28.709{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64422-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domain 23542300x80000000000000001455567Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:31.375{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B89893740C64B326058B6EFB8127DD,SHA256=2AB9C9343BFE55DB0C328A00E494E69A5F8B137BE9B02FDAF9F1324D70002A98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400338Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:29.510{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-53368-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000400337Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:29.263{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54051-false10.0.1.12-8000- 23542300x8000000000000000400336Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:31.411{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400340Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:32.989{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AEE0909C17D061978DA5605ECE6452,SHA256=828EFB2AB297D192544FDC26C19091E6001123CAC14C404308227C76B2291735,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455572Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:30.176{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61069-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001455571Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:32.408{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34CA663EDEF775B52FBD99FC30E18863,SHA256=5AEE6F926BD5DEA38FEC51027902CAFED8F917B61A9F815CAE549BD2427AC667,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455574Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:31.474{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455573Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:33.427{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B056B1968933EE199F72BC24A10195,SHA256=4BEC6CF18B43FBF698332E440520059FBEF267AD0766C7A3E74A24A57DBFD28B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400341Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:31.607{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54052-false10.0.1.12-8089- 10341000x8000000000000000400355Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD2-60E3-D80A-00000000D401}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400354Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400353Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400352Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400351Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400350Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400349Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400348Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400347Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400346Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400345Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0BD2-60E3-D80A-00000000D401}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400344Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD2-60E3-D80A-00000000D401}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400343Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.677{7F1C7D0B-0BD2-60E3-D80A-00000000D401}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400342Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:34.005{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9306BC8FFA658EB5D6F13D0831A9F5A,SHA256=3D0672F033EC8AF18673FB53E1E703687FAAF1790B893BA592C81F92604A8F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455576Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:34.441{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B3591F867F05532303376B2E14A966,SHA256=9ED5E43E9D2781A20FFAC30B72A2B355DBB9750009D7DE812DE351017699D7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455575Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:34.042{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=05C50662C8C36C72AF1357C9A7A39B7C,SHA256=FC148F86857644DAAE5603AFC640B2A7A0D66D54C0838F61D5F0E5FF45BCE7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455577Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:35.456{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F142C736C36DC9EF6D7190ECC6AA1E2,SHA256=CE4A3CAD58C367C58E260A5EFC22D95AA16113997E8A709D76ED190EDF9E60A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400371Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.724{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FCC4607ABD579D2F9D829448798226F,SHA256=2216D2AE540E5C9354DFD0DA575A0556582A79DE694F5E5E590DEE325FDB9E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400370Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.724{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BD81C69C825AF3BF91F5A6D462C888E,SHA256=3BAA9263DCBE6B1EB0D62DEE23ED0B3B38DE1FC4F41507B6FF1EC6F8D939B86D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400369Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD3-60E3-D90A-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400368Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400367Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400366Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400365Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400364Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400363Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400362Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400361Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400360Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400359Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0BD3-60E3-D90A-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400358Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.349{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD3-60E3-D90A-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400357Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.350{7F1C7D0B-0BD3-60E3-D90A-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400356Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.020{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C3A7DAC99BAE7416AF856BF1180E41,SHA256=EBCBA437DE58D63BC541783B14FBA9FFE8AB3D641CED6BDF6FA60EB0B43067DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455578Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:36.470{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D21B1C4A958D0EC55070C2C1A423C8,SHA256=DBFC16C1602CB82EE7E4A70F405186DD313CEAEFC3E463EACCDD5A0275E0C5FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400386Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.255{7F1C7D0B-0BD4-60E3-DA0A-00000000D401}3820888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000400385Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB06C19F7C0863E06933B328122F7D5,SHA256=6CF55388B7397394AEC75F81591F6F792441C2E1BFE558C5F48FB8EA0EE62512,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400384Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD4-60E3-DA0A-00000000D401}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400383Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400382Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400381Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400380Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400379Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400378Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400377Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400376Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0BD4-60E3-DA0A-00000000D401}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400375Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400374Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD4-60E3-DA0A-00000000D401}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400373Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.036{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400372Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:36.037{7F1C7D0B-0BD4-60E3-DA0A-00000000D401}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455581Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:37.906{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A7D862D0EA6EA4D03F3BFD4F74B1205,SHA256=DC1606D883F8573B11A74A7305ADEAF27591AF3335D0D6582D5EB56DE8213A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455580Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:37.906{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81DAE4886042AADE85994027BAE63DEC,SHA256=CCEE21C4BB13A907AFFF4D010AF55CF48C133E21E76A0C1DEB5FF5A550EC6BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455579Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:37.485{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90304653BE5064A6549281FE3C7594D,SHA256=6B116FCB99311B6E2245CC7CA2CBEC721D0BF8E7B437CA4D57867CC9B257E0F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400389Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:35.295{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54053-false10.0.1.12-8000- 23542300x8000000000000000400388Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:37.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12C8F90927350536B84B3CC50F23F15,SHA256=E924EAD210385299BC1F51E05A0D751A4FBF71FD9DC4C7E4AECB5EA0FAC4412A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400387Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:37.036{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FCC4607ABD579D2F9D829448798226F,SHA256=2216D2AE540E5C9354DFD0DA575A0556582A79DE694F5E5E590DEE325FDB9E75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455583Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:35.919{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-46233-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001455582Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:38.501{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36FFBC098C743FD32841212D33C265B4,SHA256=486DAA441F6963CDA4F1DEF7E9A0AA8068EDAF876350B63BD90F482810D71DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400390Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:38.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2784AED7E2A7E8440BF1CDB2F959E421,SHA256=CB5BDEF67ADACB63C09D6AA3F0D45F0FFB86ECF2C1FCF87E55393091C1245202,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455585Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:36.485{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455584Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:39.520{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A593512A49D490CFBD809DD08430A798,SHA256=306D2A2A2F2F4CAFB9ADB8E53564D9DEFFD3AEAB3E88DBC0FD6F5F9FF5EC9BAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400419Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.911{7F1C7D0B-0BD7-60E3-DC0A-00000000D401}3504292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400418Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD7-60E3-DC0A-00000000D401}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400417Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400416Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400415Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400414Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400413Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400412Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400411Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400410Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400409Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0BD7-60E3-DC0A-00000000D401}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400408Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400407Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.661{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD7-60E3-DC0A-00000000D401}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400406Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.662{7F1C7D0B-0BD7-60E3-DC0A-00000000D401}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000400405Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.458{7F1C7D0B-0BD7-60E3-DB0A-00000000D401}40403772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400404Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD7-60E3-DB0A-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400403Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400402Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400401Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400400Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400399Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400398Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400397Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400396Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400395Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400394Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0BD7-60E3-DB0A-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400393Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.161{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD7-60E3-DB0A-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400392Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.162{7F1C7D0B-0BD7-60E3-DB0A-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400391Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:39.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC25695B893AD42EF7788A9E6A0C0B5,SHA256=B90D3C8571E3E14CC3E7A2CD1446D955A3A2B1088741D3A363B558930DCD8500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455586Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:40.535{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C96F95E8DA738D8FB5CB41CE97C04EA,SHA256=D8F432F63B1CDBC76577F971183E0F7A47F7277EBCF53A51257DCEB3E8D5EECB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400448Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.815{7F1C7D0B-0BD8-60E3-DE0A-00000000D401}19362812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400447Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD8-60E3-DE0A-00000000D401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400446Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400445Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400444Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400443Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400442Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400441Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400440Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400439Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400438Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400437Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0BD8-60E3-DE0A-00000000D401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400436Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.674{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD8-60E3-DE0A-00000000D401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400435Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.675{7F1C7D0B-0BD8-60E3-DE0A-00000000D401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400434Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=464A4F6564274DF49ECCFBD4D6826E8D,SHA256=C5B3FAB8E07BB2A6EA46E78E332168C763F6223F02DF4F522D4C666083BE1494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400433Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99555E9B0B5EAF186678865C76BCAB3A,SHA256=9A268CB31DEEE3772D9C182441D7215221DBAD5D1CB8AEC53C51FD95E0B9FF44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400432Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0BD8-60E3-DD0A-00000000D401}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400431Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400430Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400429Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400428Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400427Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400426Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400425Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400424Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400423Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400422Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0BD8-60E3-DD0A-00000000D401}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400421Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.177{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0BD8-60E3-DD0A-00000000D401}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400420Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.178{7F1C7D0B-0BD8-60E3-DD0A-00000000D401}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455588Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:41.880{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A7D862D0EA6EA4D03F3BFD4F74B1205,SHA256=DC1606D883F8573B11A74A7305ADEAF27591AF3335D0D6582D5EB56DE8213A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455587Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:41.550{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610064AD0CD177B95DF3826BC1E7BAE6,SHA256=69A6089747D89EFC3439C2E4B246F4774B8D5709435318D307931C1494FF6C96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400451Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:40.357{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54054-false10.0.1.12-8000- 23542300x8000000000000000400450Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:41.315{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26461C310C66EE0C436BF4A93CACD71A,SHA256=9B064C85EBCE37B180DE397BDCB4FE38F7D169BE0A555EE80517BA96DB332B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400449Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:41.252{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B21DB622CD6A73874D42F8F904FA6F4F,SHA256=B45E7178D2CD9930BFD648B180DB7C206814613F8C749E45F8C7CC88CD02E0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455589Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:42.564{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75829EF8FC78ADD3AAA41D733E7C1FAC,SHA256=A5C27EAC580086197CA13FBFF0348C7A0AE075D497451170DB968BDBF3076BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400452Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:42.255{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F25794A330CF5BD25A3DE86E754E6A,SHA256=0F5757A5F20D837BE4A06DB9EC05C2900E0729D1802A6BD957715E2DD47426D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455591Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:41.564{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61072-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455590Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:43.579{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E60E065399E8B1666771F28E9700F97,SHA256=38BADF8559724FEECDE7EF5F4944F85B2825195BEB0A4372D6CC8F60BD4BA59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400453Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:43.489{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C3C7299890F9D04B15B77E33272B1F,SHA256=2479451CBBD049885D5097363936DCF11E9B23C1E876E1841AB8EE69F7BF8F49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455592Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:44.599{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1459D49CF4837923C59D1671DC3443D1,SHA256=E9C6CA890BA5E9FAC599DC093560BCBCCC89DAC15406B210FA00E7EADF722CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400454Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:44.536{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413A10DB732A529556AEE32495F1C9ED,SHA256=9606169E32BF31E91D69E03D1AE1B2150A5B9000E28457536979E4D662C052CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455593Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:45.616{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92017AB07885CD16709A7042705D61C1,SHA256=67203C43B0A8C68AC4409D8F67DA22BB5942B0625F9169CBAEBBCF98A63CAF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400455Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:45.536{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DF4C498F801A75E5D8D3D059889B9E,SHA256=2530F74CF0ACD1E49F2DAD4EA74A9FAE5535DD984B7A6904405280CBE29B10FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400456Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:46.598{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BF596FB0C4007626B7636889A0529C,SHA256=DF3F75F1820DEC754A823A027EEDCC237F593FA13521E68E8DA856CE33A2CF18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455594Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:46.631{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F45985F6766E654F0DEA77AC4466A0,SHA256=EF5AA0F3D6E3A0B7D6A9875ADE06C759F43005AAC44BFC5B844F42011FE7B2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455595Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:47.646{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09811CE62E922A3C5F10252611DAC061,SHA256=48D5569413047B7052110D98617F1BA3B64113B942A24DEE5C886160B7BB37A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400457Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:47.645{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5999B6BCED9F0356FFA35468EE16962A,SHA256=68801625CE724D1FEEA6CC74322CD10E0E8C076BC0602A85B55C60CB9268F15C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400459Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:48.645{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205C144F22ADA7FF665D0505B3978C29,SHA256=03C22031C63F1105AE29196BC871A9E875868A7A971F4B7F7C7885DD5525A705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455596Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:48.660{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F48280BD6B041005171CF5B41783E1,SHA256=20030BA0B91DFE941310D19917FDA7A02DC9258B93D10AEE2282E9816A37DC87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400458Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:46.373{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54055-false10.0.1.12-8000- 23542300x8000000000000000400460Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:49.661{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496AD71B8296BAE2912C3C1DD7CE603D,SHA256=5D140D0C41FE7DD320AF60FF36A541E57FFADE2B529899D02860E6F9F284187B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455598Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:47.592{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61073-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455597Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:49.675{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70B1110F053AC8D3D34D40BD1F093AB,SHA256=53BB112ECDD074E9EF7EE2BB06F81ED5C25A76D70520712C14C0D9B250BAEBB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400461Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:50.676{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50D1C208869B1DBCF744E8F47B4A55C,SHA256=5D541C11385479C5688E5E876F0BBDEB9781625AEA3356F72A426EF066C1C745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455599Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:50.692{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983930FC5184BA364AEB28C8C6783B1C,SHA256=AE1F797DA84DD77335CA201F2C78235F08388A6E2FF7824835AE909259A07DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400462Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:51.676{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E5E35EDDC526680D465AA5A2384E83,SHA256=CC095EBF78826A003284A5DB19FF580D7FA37B076C7E8991532B5267AA11BFF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455600Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:51.710{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB321B7A8FA92242031E97D41055C863,SHA256=6A83BDEDD01E6C8B7FAE9C8DDEBC63BDB2491D18F822166C7896385D24437764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400463Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:52.676{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10DDA38607F4EC9C6EA71A5B10F3E2B2,SHA256=5386031315FB214FD181FAD55A1522DCCF8C40BA1D27EE6AABCC1A9963E1BB2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455601Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:52.725{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A37F07B346B7BF1D753BD89F56D5BA1,SHA256=42E89F1246882E1F7ABA43ED8F0107A2D5FAEBB2DCAF9DBE98A810AC1E79E5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400465Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:53.817{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9F08B8C5D821351A78F27655863454,SHA256=ACBF566CBC74110A4D751C4484FE165D4B3BE44E24E8891DDB48415F0B526352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455602Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:53.739{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEE78E5574F9320014C72417DE93C85,SHA256=78F9CFF62363969501D5647F2D58568AFA8A8C7D21F34F1E5AE34AF200C033F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400464Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:52.357{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54056-false10.0.1.12-8000- 23542300x8000000000000000400466Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:54.958{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D319B9FEB1DF0296EC274625F81F415,SHA256=B3672B146DB216320D948BFB23014F34BDF8B93ECC5ED5B07362754F3258E23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455603Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:54.753{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507D64408C4E597F4221F49703AF2850,SHA256=ABE9EFE001C72992721DA63D2775EEF6D4AC7E0002D0CEE2DAF9520D331B0D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400467Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:55.989{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA134A95C8214D95F29CBA3064DE1CD9,SHA256=5EF6EC4766BFE051CF6F0C1A73E0CD75E6A651F8490830F1BE6FD361CEA06F29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455605Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:53.585{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61074-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455604Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:55.768{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B6570E54A4F1BC1D02D3B24A014562,SHA256=86D3AF0A062CC29ADC3E76447842F48AED81F7D22578BD98ABEEB4F7D446B04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455606Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:56.786{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5FF38327F5762A90C55266AD8F1C7A,SHA256=0AABDA51A899DBFD131A21125C170C301690CE8B0241D87308AC4C8EEF006C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455607Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:57.803{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F305E02A8F88ABDF4D1AB47E948D7519,SHA256=C7D72D88FDF41225543D929E24FC84FE77EEBE5D22D9D34790E323E4FA070F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400468Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:57.036{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4A774BF7AED5D13EF2F4304519324A,SHA256=C8F5D5F9C8A15ACD43D3AB9B61FBC06ED35F4ED59D1528805BB284E7F66EF90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455608Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:58.834{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B577CE9B9E446D4776517C100013F0,SHA256=46D6A00B594308D6181E1367BAEB34713F345DDAB9975B309582FD5045B9DD79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400469Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:58.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022CE674476B7D467C9CF51AA8493370,SHA256=0819449D532FA173F6609E0B46189B97256462D7E4367E6F2EC15D17905E5615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455626Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.848{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D218351B06465B63718DCA10D08A13,SHA256=184A89B9A7AF0AD67838A86F712AAAE152D27D134F7C9E340431BDBEB4CDCEBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400471Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:58.373{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54057-false10.0.1.12-8000- 23542300x8000000000000000400470Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:40:59.176{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B25CE39DC7EEEC6AC0CA049D8B86C8B,SHA256=6F2F873D11756B3C80228486D6410958DF57557CA8BEC0443A6F77A9399A0607,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455625Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BEB-60E3-710B-00000000D301}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455624Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455623Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455622Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455621Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455620Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0BEB-60E3-710B-00000000D301}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455619Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.701{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BEB-60E3-710B-00000000D301}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455618Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.702{D694AEB8-0BEB-60E3-710B-00000000D301}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001455617Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.165{D694AEB8-0BEB-60E3-700B-00000000D301}38442584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455616Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BEB-60E3-700B-00000000D301}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455615Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455614Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455613Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455612Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455611Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0BEB-60E3-700B-00000000D301}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455610Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.018{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BEB-60E3-700B-00000000D301}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455609Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.019{D694AEB8-0BEB-60E3-700B-00000000D301}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455637Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.864{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93832F5E07ADB4EB7A9223D6B96A5087,SHA256=2EE63F534ABF8E41585ECDC351AACF334ED778DD4F5F751CA5A60E05CD67B89E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400472Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:00.176{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7CA6A9C95B1ED7CA1A0AEC2089BB6A,SHA256=A93D8B57BE0329E7EB5C5822B3C94CB68F03223008B9B73DBA3BAF81564E69FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455636Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.385{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BEC-60E3-720B-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455635Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.383{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455634Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.383{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455633Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.383{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455632Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.383{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455631Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.383{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0BEC-60E3-720B-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455630Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.382{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BEC-60E3-720B-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455629Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.381{D694AEB8-0BEC-60E3-720B-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455628Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.133{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F68DB0BFACE8E91DE437F2FAC192A59,SHA256=5ADEB4878A2D918BF93C0C067B69408FBFEDB5BA8EAFCB193A0AE4B5DBB70E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455627Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:00.133{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E6253AC02C97CAE411801395A3A099A,SHA256=A0035EC48D32C0D129C8C2F9FBA3B189430B13015334BF0D9B26A47876505C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455639Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:01.881{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF6DC530DB9DA20B56799577CFB70FF,SHA256=87AAF7F48C67AE47E998080203B78510966E51F9F50587115EF8FE8845345AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400473Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:01.176{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C20567E4684CB91C990DB9B9E582EBE,SHA256=6E3C88B124AA0086A05187BD0037FA6154FDEBF85181C6EC291D7BA87A53D25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455638Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:01.401{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F68DB0BFACE8E91DE437F2FAC192A59,SHA256=5ADEB4878A2D918BF93C0C067B69408FBFEDB5BA8EAFCB193A0AE4B5DBB70E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455650Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.899{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D261A0CC85544EC5385A558A343CD1,SHA256=396FF22D69DF617ED546C4E3DE0CFBF457F98876C5376265C80791434952B341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400474Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:02.176{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2272A7BA71297300E3052181EE89CE,SHA256=A3322EFB097B37FCD5F4DFBEDEC294046CFA83126A8E98F10CABBB6C08AF3127,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455649Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.684{D694AEB8-0BEE-60E3-730B-00000000D301}6328616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455648Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BEE-60E3-730B-00000000D301}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455647Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455646Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455645Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455644Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0BEE-60E3-730B-00000000D301}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455643Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455642Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.546{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BEE-60E3-730B-00000000D301}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455641Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:02.547{D694AEB8-0BEE-60E3-730B-00000000D301}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001455640Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:40:59.580{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61075-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001455670Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.946{D694AEB8-0BEF-60E3-750B-00000000D301}5716388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455669Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.914{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9603DEE289AC161BBEB0F52ADFB756,SHA256=D0FFA6F94F5C29E8427F37EC3FD88CCE8F9171A8E2290085AD21195983CD0481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400475Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:03.192{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C689974353D65FFDE45A1750A1F5A2,SHA256=BB55471025EA5B28FF4ADF4C6FA410C89CFCB8A9F2E1FBF2D18596B51A4BEDEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455668Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BEF-60E3-750B-00000000D301}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455667Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455666Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455665Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455664Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455663Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0BEF-60E3-750B-00000000D301}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455662Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.799{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BEF-60E3-750B-00000000D301}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455661Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.800{D694AEB8-0BEF-60E3-750B-00000000D301}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455660Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.580{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEBA2FDC301A555B1664A1827E71090F,SHA256=5C9A7FA91821FBA4CB45B9C6CEC69667351C278DEACF215B2A0BA5672EA9B3A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455659Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.314{D694AEB8-0BEF-60E3-740B-00000000D301}64561568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455658Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.183{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BEF-60E3-740B-00000000D301}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455657Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.182{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455656Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.182{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455655Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.181{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455654Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.181{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455653Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.181{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0BEF-60E3-740B-00000000D301}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455652Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.181{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BEF-60E3-740B-00000000D301}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455651Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.179{D694AEB8-0BEF-60E3-740B-00000000D301}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455680Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.929{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18972AC9AC658495253A2DC4E440053D,SHA256=A9D79898F1F95C93170BCC10FA3533866CBAFA32AAA7CBDEF28EC217D17464FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400476Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:04.210{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4064B2799D3BC8D3233EF1382AC35D20,SHA256=CCEB240F7671B663451D0A05A5C46431ED7EC7617D7B5351EF2112434FD00515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455679Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.814{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CC0F24B075C42410B8025C1DA1AD6EF,SHA256=396DB076FC3C07E13F754AB65D8DC4499071DBDD4A22E15C18BC4243AC5E9DBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455678Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.481{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0BF0-60E3-760B-00000000D301}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455677Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.480{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455676Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.480{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455675Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.480{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455674Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.479{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455673Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.479{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0BF0-60E3-760B-00000000D301}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455672Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.479{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0BF0-60E3-760B-00000000D301}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455671Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.478{D694AEB8-0BF0-60E3-760B-00000000D301}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455683Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:05.944{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F1D7DE6D907F61C0A0E46063CF53AA,SHA256=EB9077C51EEC0734022672E849BC4F633B79EC2F8F22DD08BCD66F65F0F039FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400478Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:04.357{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54058-false10.0.1.12-8000- 23542300x8000000000000000400477Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:05.223{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8265C6A0C915B3CDC6297D907844115A,SHA256=B28B190CDE63DC7F399DEC3AC6254818EB7750A4B314C0EDF7CC5C490C07E28E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455682Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.446{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61076-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001455681Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:03.446{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61076-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001455684Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:06.976{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E20494424E87C768C7A4667CE59455,SHA256=CAA9AA373587E436C61402BC23F09B98F90B86F1625382C66F36F7AC00363A1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400479Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:06.239{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3420C64DAD12AF292BCD293434C158AF,SHA256=737B1CCD057BFDC12FAEF4744DE9B44254B077E3C106B97D3AB008A778EC2D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455685Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:07.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4801A154B5F6CC7A32EEB58226B2F06,SHA256=DBFCB305C3BE5157B0148230C00D1921C491CDEC07C959CFE564914B38BFF6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400480Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:07.239{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572F3F30C78A1DE7D935D3384A98EF81,SHA256=45EDAA781ED0BF5033DF0E39F2DEEBD7DED9FA7D67BC07978EC5D4CA222DFABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400481Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:08.255{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3411A89B3F84AE521169ED82CFD3CCE5,SHA256=BE01DEF63471090F5A08E8B2175B990709A8AAC65DC8CA7351E4140A85A26C45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455686Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:04.610{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61077-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000400482Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:09.286{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF3D74A6EC2E0D53703F385ACEEB779,SHA256=788CD928A930EAD3B0D743756177C8B98631A0DB8445BF18E87614EE5BA752F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455687Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:09.011{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D1E8C35E1AC469967FD2849A1AC2E9,SHA256=8B13532CE5FA2C8C4D5D0316F1F9F035B810965F9B79223AC830942464330928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400483Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:10.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C67A2E9117C7C463FCC32BAE52A5F34,SHA256=18D1AC0967EC699A35F723D38787B13E31056F7CFBE266AEDAEEB551C35946E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455688Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:10.026{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8A2953CD402656834C2A33D828122C,SHA256=7AAEF83BC78BF1BA24D826BE451EBA6A3377426AE60BC1172692DD0554362FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400484Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:11.598{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED1C71A06151E8DB19872C7280F09FE,SHA256=EB4B3504EDE5B57F8D034F19B4F02C758DBFBC44158201140FD7B315D804E115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455689Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:11.040{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30C42B5BAC144B2623FEA74727A266A,SHA256=3535459F58EE8C83F81740C1964DBA0CBD0A45B8588A9885E771F29A5EF5E14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400486Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:12.739{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D573F7F6B2AC34436106BFF94B6CC4,SHA256=E136CA906AFFCB523FA514A36045B7FF2EFB2FA3371368A9F9613EAA180A0CBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455691Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:10.618{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455690Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:12.054{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9E8275CDF8F9984C3A516D1D96D93A,SHA256=E2DCDF668E908965892AE02233A5C3965B47E523E1AD260969094DB477A17B6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400485Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:10.326{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54059-false10.0.1.12-8000- 23542300x8000000000000000400487Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:13.833{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0575CDA5C3E7292CC2640A9300D84C83,SHA256=F83C4AD704AE6E23EE39BCA1D9A4755DE9F16890630002F1E2C1EB7395797EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455692Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:13.072{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153F67A27962B1A4CDD673F8980F0B89,SHA256=E4CEE8D4D2AD6CBFE049A4DE10EA23730A373B28136E45981ABBAED730F5FE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400488Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:14.833{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B59B732282F2B47DAE41DD0CE4E8EE,SHA256=682B8A82E92C8B430EAE99FF845E0552975ED295EB0DA080F921E3B401C30C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455693Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:14.108{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18AEAC8A46F15336A5D0442601D3A35,SHA256=49894D84838428F6A0565BB1E1EEE442717BCCE58B4CF97A66AAF7BB003123F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400489Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:15.848{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22AE8AC8B0500692198364EADD89253,SHA256=A422958F9530638D290484E574DB9348572853096043702A79348417E201B521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455694Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:15.172{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F967203EBF56D4A84854EAD5E0457E,SHA256=C1493226C21C51C5C617E220EF06FBC6BB578ACC9F8CCB8BE810A3160CAFCEE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400490Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:16.926{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5CAEA79F8E691ACD5504AC5E7E06011,SHA256=C2663327AC7B4EEC573BC9D5BE7AACD645BB623D817C6500EB6B2D7E210A2A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455695Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:16.191{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28565D9ED65CEFF960454FC2D07B82F3,SHA256=3DA679AC2FC79B6E217675A03B98EC8F3DAB68549DDFAC36E9264953EBF3E453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400492Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:17.942{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B77632C61BC2A8F0A79296271A142A9,SHA256=B03154F9B355CB7573F50BD8E78506F6245338F7A6F9D356EDB1BD71F05A8BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455696Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:17.192{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F67C81C39CB225E640CE8315596956,SHA256=A6141E8B716ED1A3ED2D26CB890C7F37C59CA0B1B2E5EC2100C3385F2424E68F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400491Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:16.279{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54060-false10.0.1.12-8000- 23542300x8000000000000000400493Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:18.958{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA8394F35C363A589F0CF9F8ECB8C34,SHA256=A102B73BF179C82DE43F6980830CF78B1377F64A41C40F4169D279FF24F7245B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455697Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.206{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5036C7E4527AF42300C71F78CB6205F,SHA256=5BF4B9BCC92C0192B49D4B097D5E9C9A52777141307E1936248551208EAC6C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400494Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:19.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DA2811FFEDD9826F1222C8938740F3,SHA256=7176FD10B6A76696A6C3987FD5007201A57E180A13C9C4D14E949D9ADD357548,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455699Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:16.617{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455698Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:19.221{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879147C4684CBCA707E588D2B3F38B0E,SHA256=8A61A4876581B1782523C72D083A36910915A75D0D9E628F591CE893CFF55BFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455750Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.752{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local63509- 354300x80000000000000001455749Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.751{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63946- 354300x80000000000000001455748Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.750{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local50523- 354300x80000000000000001455747Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.750{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63077- 354300x80000000000000001455746Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.749{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local62106- 354300x80000000000000001455745Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.748{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62117- 354300x80000000000000001455744Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.748{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local59642- 354300x80000000000000001455743Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.747{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58666- 354300x80000000000000001455742Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.746{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local60313- 354300x80000000000000001455741Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.746{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60138- 354300x80000000000000001455740Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.745{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local58812- 354300x80000000000000001455739Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.744{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58010- 354300x80000000000000001455738Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.744{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local65464- 354300x80000000000000001455737Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.741{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local58054- 354300x80000000000000001455736Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.740{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64306- 354300x80000000000000001455735Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.740{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local50708- 354300x80000000000000001455734Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.734{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local60034- 354300x80000000000000001455733Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.733{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local60232- 354300x80000000000000001455732Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.732{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local59351- 354300x80000000000000001455731Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.730{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62008- 354300x80000000000000001455730Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.728{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64266- 354300x80000000000000001455729Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.727{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local63434- 354300x80000000000000001455728Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.727{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local50951- 354300x80000000000000001455727Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.726{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local56554- 354300x80000000000000001455726Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.725{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56471- 354300x80000000000000001455725Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.724{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local57008- 354300x80000000000000001455724Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.724{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62815- 354300x80000000000000001455723Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.717{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local58651- 354300x80000000000000001455722Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.716{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49802- 354300x80000000000000001455721Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.715{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63258- 354300x80000000000000001455720Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.714{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local60007- 354300x80000000000000001455719Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.714{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local51132- 354300x80000000000000001455718Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.714{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58858- 354300x80000000000000001455717Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.713{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local50985- 354300x80000000000000001455716Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.712{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54046- 354300x80000000000000001455715Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.712{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local56185- 354300x80000000000000001455714Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.710{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local57071- 354300x80000000000000001455713Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.710{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56185- 354300x80000000000000001455712Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.709{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local62588- 354300x80000000000000001455711Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.708{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-201.attackrange.local62588-false10.0.1.14win-dc-201.attackrange.local53domain 354300x80000000000000001455710Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.708{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64100- 354300x80000000000000001455709Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.708{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64100-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domain 354300x80000000000000001455708Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.701{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61082-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local49666- 354300x80000000000000001455707Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.701{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61082-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local49666- 354300x80000000000000001455706Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.700{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61081-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001455705Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.700{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61081-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001455704Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:20.256{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0C36D004163B497BA16E18118932D8E,SHA256=E92E380D060B875502F561474EF20985DCC8E6883EBBEF715D807BA2AA3CF661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455703Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:20.256{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4BDD385355F5F1FD6D80A7B77744C7C,SHA256=04450763C5BC8CC6E4419DD5F2511550B2A436AE1F734FBA73CDCB7364553AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455702Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:20.224{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43C8B03471B062942BF5FB12239EBCC,SHA256=3BED39E2A31DD0A3798218E2ABCADDAB435A911C7E7ACEF3CED2524351A7696D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455701Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.301{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61080-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001455700Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:18.301{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61080-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 23542300x8000000000000000400495Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:21.192{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8AA5EBC61A68320890E4FA0D12CBA4,SHA256=B94590E8E554D0BCD1F548003DF111A2D05522D5B700E62CA984E0CA7DCFBD11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455752Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:21.738{D694AEB8-B3E8-60E2-0B00-00000000D301}6565444C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001455751Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:21.523{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A78ECC7AB0FFB6FC9F72E6E78C25F59,SHA256=7BABA38D86C564A7B60A3D6BAA24F44C0CBEAE0C124D6BE9C4BB198F9D854ACD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455758Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:21.079{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local61084-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001455757Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:21.079{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61084-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001455756Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:21.072{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61083-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001455755Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:21.072{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61083-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 23542300x80000000000000001455754Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:22.640{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0C36D004163B497BA16E18118932D8E,SHA256=E92E380D060B875502F561474EF20985DCC8E6883EBBEF715D807BA2AA3CF661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455753Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:22.525{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B167E180E65D30330E71EAB574C07E,SHA256=E1DA47F737FB585469E92F73832A242867B36BF0F276CAFDA7109D0A01986142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400496Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:22.240{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A5E2FD5EE907026D9AF6419B366796,SHA256=85588BD87443B9F2981EA2C3808FF52489DFFDCBC0B57EE1C7C619BF77272998,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001455762Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:41:23.976{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001455761Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:41:23.976{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001455760Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:41:23.976{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 23542300x80000000000000001455759Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.539{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93FCB2364C03774B6493C7BF2731850B,SHA256=CB26AA1C1E08338A415EB8AE7A7DD8F611C96549D0F47F858896D0C658D6D397,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400498Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:22.264{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54061-false10.0.1.12-8000- 23542300x8000000000000000400497Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:23.255{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E858225D058B92F26C8469227EF5D6,SHA256=3703D3FCB6996C8379EB75C92D230B8EA7636B344C812BDDA18549719E6329A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455765Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:24.991{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A5C91D193A7712EBB08CB1C82DB4110,SHA256=945C3853724F8297F5DE4F3E1BA8DB472E0B3F3A712E8ED8AAF442F2B2413D26,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455764Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:22.639{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61085-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455763Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:24.573{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12015779EDBE132806F153B244AB60E5,SHA256=2728481B182247F54A41A0180D1F452E60FD33E76B1DE1C1749835164F6C7FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400499Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:24.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11C1BA5AFC4AC753C781468997E47F0,SHA256=F4F146BF07D111723369D2B37ACB0E0283796754CFBDF311C30B8149BDEDE35D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400500Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:25.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7C0F94306D35E14882189EC39D9563,SHA256=68D78DA3DF4DB44042ADE518A25AE769FA7742F5FEE7F9B210E4FA8C25D7F60B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455770Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.432{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61087-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001455769Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.432{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61087-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001455768Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.419{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61086-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001455767Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.419{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61086-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001455766Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:25.590{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0526925AB7D05E403535D7828476E0D0,SHA256=2E3541872CBD4582DE745F3A15F3793C632CC852832A19C1B3F03C8A81F91F3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455773Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.438{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61088-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001455772Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:23.438{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61088-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 23542300x80000000000000001455771Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:26.605{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990243F36A7C7EB4C7FD36D9ADFF5B0D,SHA256=A92E4AE7B96868C2DA013ADD289ABBE56882388F8948002E6A3401ECAB52602C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400502Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:26.380{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7D992344BDD75DC9D38FF3FB2271B3B7,SHA256=54C66F9CC707166CB02CBB33201F9ADF6CB0ABF7496276E052CA809578235636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400501Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:26.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D497280F4F14C70481E577204C0A2BF,SHA256=5D8AAF14386FBF1C653DDA3AE9D357CCFD322C53CC9FF313A66726B554FD211E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455774Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:27.635{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F03DA4444D598B74BD4E7A2E371FD01,SHA256=A89D4CB602A9FCDA447F460E4F519A8E42F2CC862667A3E35E8B01903CE95CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400503Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:27.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BBAC9772B834F91A64805EECB930BB,SHA256=B5C0B01698262A1D953F3278DFE5E66FD7305995A6D6FCA7158838E2A836B54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455775Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:28.649{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A7FF00B9BC86E38E649BBB5F368629,SHA256=89137909722F3EA56A3839DE0259DAB56115F2D2DB5EA519DA7D5DE0740EBAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400504Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:28.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFDA0DD8E6D3CA620CFE6DED3235F63,SHA256=83AD2986EB5E3ACCFF77E3A566187CC3CA108FEA2F6FE7FD8AB3C6DAF1857249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455776Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:29.667{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDB0B16743FD781306E2E2F22D8F329,SHA256=01D156AA764287A0E006EA6CA7658A8D96B12F84A07A941BB402FBAA6E9263F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400506Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:28.295{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54062-false10.0.1.12-8000- 23542300x8000000000000000400505Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:29.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63276192DCD9EF6413F5AF49413E9037,SHA256=BF023B53ED284E607562C4B3A5030FDB59A87B40480A8F663086758F477AB16A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455779Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:28.614{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455778Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:30.767{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455777Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:30.685{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DA293E2529237F9403F2DC1543F7A0,SHA256=C5EA848C8C6AE69BA6D4130B786C2879FA58B7A8D8FB19E8B57D38CDD2887110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400509Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:30.364{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4579E64BACBB631CC4E3E2D2E5BF22F6,SHA256=B73ACBACA6EE14FD8A4B0DD719285B167A52E4EDBD0E1340E5850CCECFD4C1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400508Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:30.364{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B6200E648CE8887645F9F09FFAE5053,SHA256=928F1394437E0570E16972FCC9059567B62C375FA243A776B2AF25AB626653AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400507Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:30.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B5C6A25FA102CAA06A9FD15FB17074,SHA256=11B05E8A4918B6061A7CC4BB962BF50BB0E62A781C0F27C81DA0D7624BA80C46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455781Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:30.194{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001455780Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:31.701{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9353B0184C9A03AC417757E762A4071,SHA256=4688A33F219E17C9CDD50B87B6551D47329118277E591703D4BEEBCF3E45E2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400512Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:31.426{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400511Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:31.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E115F753FA54901C20F5C0C2E1EC7C0A,SHA256=EFF155DAEF73904EB070201724C66C3027D227C83BD7FD8D8A4DA8EE2F9A8A3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400510Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:29.277{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-53540-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001455782Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:32.715{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B3474278920FFB16E078FC101191E5,SHA256=B080C5978E4951E6BD150FDCDC4350120941F3AE341928778AAB8C7F5A0D9E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400513Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:32.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E914596C45572C185FA5E8A72711E147,SHA256=58DDB924110E3D34327E20B7116F8628314A19B14D9A5FBA6D8621465AE34E97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455783Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:33.730{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCEB50FABAF9CC0CFA6DCAFF3EED3C1,SHA256=23CAD26B160D1B2CBAAAAA0A9B91B68BC04DD146C6F889CE1A1DF829CA1783F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400514Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:33.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482503DDCA2B184FFDCFA3F0228C30BF,SHA256=1EA8EB4699617EBE3BFEB447CCF5A33EEADB0C71F6AD82D9AF4AB4AF2032A501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455785Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:34.744{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B57F2BE977DDFBD9D54C764AD1A4A1,SHA256=A6E45F55DB6D91A1B90C9C1FDABF56657EF0B5902AD547520B08277F6175B0CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400529Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C0E-60E3-DF0A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400528Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400527Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400526Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400525Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400524Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400523Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400522Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400521Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400520Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400519Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0C0E-60E3-DF0A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400518Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C0E-60E3-DF0A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400517Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.661{7F1C7D0B-0C0E-60E3-DF0A-00000000D401}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000400516Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:31.623{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54063-false10.0.1.12-8089- 23542300x8000000000000000400515Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC2D5A91420F463589B2AE6A5516F27,SHA256=8BB81A015D6896BFE91F9C97A89D488CA29446A1677EE8C6FC47857D77F1B97E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455784Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:34.045{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=51F416276F1447D5A821A6E34D4C3E32,SHA256=42F49FB101ACBFE4B3435F6272F2887CA3734C04C943A073075EBA6F8884334E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455788Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:35.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDED70E7D93F14DA7BC7B2665411C5F1,SHA256=41F5D84219105B08E1CC5C191118258776BE29E4383133EC039CD53047266303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455787Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:35.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=448ADCB04400E5CC9941D6606082480A,SHA256=69C007AB7D4605A642596AA6DC8C9A1218695383E516454FFB88BE7E22ED0BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455786Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:35.762{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428C6184382651B5D526F2EDB22C492D,SHA256=6E80081739375F40836B6361CB2CA6CB3F13A5DA2A7D02D0CACA78E95A7007D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400559Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF1C2CAE7D05D890567E45560260E176,SHA256=72D0FDD5AFD51F5BF65DFB178D9CEABD0D26CCECFB946DDC3B651335FD234196,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400558Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C0F-60E3-E10A-00000000D401}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400557Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400556Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400555Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400554Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400553Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400552Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400551Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400550Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400549Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400548Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0C0F-60E3-E10A-00000000D401}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000400547Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4579E64BACBB631CC4E3E2D2E5BF22F6,SHA256=B73ACBACA6EE14FD8A4B0DD719285B167A52E4EDBD0E1340E5850CCECFD4C1BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400546Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.833{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C0F-60E3-E10A-00000000D401}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400545Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.834{7F1C7D0B-0C0F-60E3-E10A-00000000D401}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000400544Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.567{7F1C7D0B-0C0F-60E3-E00A-00000000D401}19322632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400543Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C0F-60E3-E00A-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400542Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400541Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400540Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400539Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400538Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400537Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400536Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400535Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400534Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400533Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0C0F-60E3-E00A-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400532Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.333{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C0F-60E3-E00A-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400531Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.334{7F1C7D0B-0C0F-60E3-E00A-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400530Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:35.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89ABF317A4F151AA4FB1A93885795618,SHA256=81396919ED9CBE72E381438718E090492DDBF213EA647A997DF26827E3E3FE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455789Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:36.781{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080F65560AF3805C0E785BEF5B8C957D,SHA256=680DFF756CC812B1FB26A54A45AAE26CF7253E2442FB4BAAF0C397F0CDC33B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400562Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:36.911{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF1C2CAE7D05D890567E45560260E176,SHA256=72D0FDD5AFD51F5BF65DFB178D9CEABD0D26CCECFB946DDC3B651335FD234196,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400561Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:34.295{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54064-false10.0.1.12-8000- 23542300x8000000000000000400560Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:36.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E681697A7B32EC17AD433E41F00D1D,SHA256=179804D1238BE8EC19FC7B842C2E40452F479106D9D78715FB729FEA9FAB92A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455790Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:37.796{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1B1485C19B0DC18E36533316B5F048,SHA256=26B4A2DF7D8B69FEB36CD59EF51E98655A5C6464C6281C8164A04150E7BDDDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400563Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:37.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D58DF7326717F24053850A4FF5DDDBF,SHA256=090EE2F121986F2D005531468DC03824B94D128141BC7DF416FE70E55620C362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455792Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:38.810{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB99EDC650AE9B0E455A978D6F856A1D,SHA256=9427E687BA7CA3312BEC8E87FC1419550B66E4EBE3E5F4285BC6D733C407F10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400564Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:38.473{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7C8602A9299710988626B8949E2683,SHA256=ED496E9475624353C5F874D7A12804DC2699544783494E11D608A3B2B9092990,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455791Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:34.610{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455793Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:39.825{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AFC6037BFD1584D41B95BDCB0E1710,SHA256=FFE8D8037424A980E574A0DBA48724F7537DB34F775617FC2C720063A74A9DA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400592Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C13-60E3-E30A-00000000D401}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400591Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400590Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400589Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400588Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400587Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400586Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400585Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400584Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400583Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400582Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0C13-60E3-E30A-00000000D401}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400581Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C13-60E3-E30A-00000000D401}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400580Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.833{7F1C7D0B-0C13-60E3-E30A-00000000D401}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400579Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.723{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F1FC0B54770C9F84632CCF82DF2474,SHA256=952B858C2E08235D922D383E318494EDCC5FCC30179EC3C74B62E4357858FBF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400578Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.317{7F1C7D0B-0C13-60E3-E20A-00000000D401}40162712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400577Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C13-60E3-E20A-00000000D401}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400576Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400575Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400574Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400573Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400572Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400571Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400570Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400569Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400568Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400567Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0C13-60E3-E20A-00000000D401}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400566Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.161{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C13-60E3-E20A-00000000D401}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400565Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:39.162{7F1C7D0B-0C13-60E3-E20A-00000000D401}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000400622Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400621Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400620Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400619Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400618Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C14-60E3-E50A-00000000D401}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400617Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400616Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400615Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400614Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400613Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400612Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0C14-60E3-E50A-00000000D401}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400611Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C14-60E3-E50A-00000000D401}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400610Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.962{7F1C7D0B-0C14-60E3-E50A-00000000D401}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400609Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.960{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A94CF118822F0DBCFF93A9CC401AF9,SHA256=E22981DAA22B563AD2E474EA30E11386A89F0CA1511E51F8687BAD54E09D7C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455794Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:40.839{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECA637B36C4BAD29090E447E1DC62E9,SHA256=2925F448047F5563C42790C7D50DE4CE16DD708A4291DF15357077156DBD13B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400608Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.522{7F1C7D0B-0C14-60E3-E40A-00000000D401}19642376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400607Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C14-60E3-E40A-00000000D401}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400606Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400605Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400604Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400603Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400602Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400601Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400600Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400599Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400598Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400597Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0C14-60E3-E40A-00000000D401}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400596Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.333{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C14-60E3-E40A-00000000D401}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400595Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.334{7F1C7D0B-0C14-60E3-E40A-00000000D401}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400594Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.286{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0279B19B63AAE0D397C9F56C5B70C9B3,SHA256=2C69394EB9EA9CD44C28632640EC85234FDF080701832A6D5C067CC8BF70CA1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400593Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.083{7F1C7D0B-0C13-60E3-E30A-00000000D401}3024348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455795Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:41.857{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C709743383B8983B9BE946AC1F5FC4CB,SHA256=FA16C1139BECDF2FDA5C53C007865037F4FCA30F83C73B285E27331777E6F12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400623Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:41.460{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAE4928AFC6DC00F9190FE217A3DDAC2,SHA256=E97AF199B31AA671E4537B0F212F900C6817D9E5D4FD40ECE3CC7731AB1B2888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455796Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:42.875{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26492676E148B7665021438FD639E2D4,SHA256=34ABCB307660085E5560EC5FD3C4491FF6B683C9A989081B11D579396D2C3381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400625Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:42.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855B60EF45C1BE0178A7C5E8A99A1D37,SHA256=96D888913F9790B9D8CE291AF7A85EFC40F96E4E686F0BD8EA1B894DD9048C1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400624Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:40.342{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54065-false10.0.1.12-8000- 23542300x80000000000000001455798Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:43.889{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53081731FDE0435D6D82D272446DA36,SHA256=15CD67246E55B4248E1258F78A1D505E594ECEE67562B30DBD82D405B74C929F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400626Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:43.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F71A6A6FBABA34297AEE8A874D9608,SHA256=A6D6CDE7D435D82F9EFD2CDE229237F0560C7EBAF96E65AABC2FE523F1916A0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455797Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:40.623{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455799Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:44.904{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B50BA8164E3043332515914843600E2,SHA256=279B8F1E178D3F179508DC0D8E3FAB0CDFF2E08E1C4B39564EC1DBB0C7C71801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400627Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:44.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE25BE8AC50628A6DB11D144F578B896,SHA256=66F64DAB9BDEA108C83D1C8A6C903E4EEFCE497DC2B82784BE5B0650B3B76307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455800Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:45.934{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04D1D9A9A09327E01F9DA4B399D3CC6,SHA256=A18D2E770564709B71F505B58748B89D9E89FB9BBE413F04F116C29735826CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400628Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:45.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95793EF03676F7EE6B52ACAC42267380,SHA256=C6043E5BC22A45778BA6258A24C7CBAEDA416D9B63C0529DA062FFDCB7ECD9E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455801Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:46.955{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D751C4C69C3C8E86E3E76EE91D68CCF2,SHA256=A482E9B0E81CC0ABBFFC74A8DA91D5882998BEF7185385CC355C0B339E81E3D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400629Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:46.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B623D1B14F23F791B99EF93DD1D1E27E,SHA256=E63EA56BDC39984639A51393752DE7CE2E9CFAF8E8E68B75EB396559277C5940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455802Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:47.970{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14DA9931C3DE499101B11E52D23E658C,SHA256=4B82C129B4B6A689AB11F41E5989F85FC6C9D610CC7E4D2B5588291B0220BC7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400630Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:47.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F397F9EEA424C3221E6C2CC898E3ABA,SHA256=31E55BF38E7812BB2935122E6E1C949D4CD5BD96E61053F1701649F456DD2FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455803Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:48.984{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1DBBDDAE447366E878DA71B349382E,SHA256=FB3666DBCE1154417E71D947B1D6A35587F9B9D493A4A804E993BED310BA4541,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400632Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:46.368{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54066-false10.0.1.12-8000- 23542300x8000000000000000400631Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:48.140{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60123170EC21ED2A85EFBEDC4DC86D7C,SHA256=06CED3134E25D6FEA80D7501042781F6C51CD6ACC2B8DB373555BF5154B51969,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455804Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:46.599{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000400633Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:49.218{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADAF9E8A38B3DECD2195C5976F4A418,SHA256=F48937265657CC8561CFDA41C9E62B0E3B5BA34E6C94B6AD86AFA98B04B04CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455805Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:49.999{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BE7F421698722E6004B577713F6FC4,SHA256=C74C31103E4EF2444004394C8D2429A85F8A8C525950918B6013DEA27A8D4EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400634Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:50.250{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7646E07EFBE1874B8419DA372B8C402B,SHA256=3A3880A454E5B01D4ABC71466E8CD947D60444ABEAFAA8B5504D091F750C2973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400635Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:51.265{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D389ED8F46AAE04E8C2FC70BEB74C99D,SHA256=CABA572CD2447E916D020C72B211B71073A7A483BC51D91ABA565D3489783497,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455808Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:48.450{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-201.attackrange.local138netbios-dgm 354300x80000000000000001455807Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:48.450{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-201.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x80000000000000001455806Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:51.014{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E21F76500A886074E41C3B18A4E4C81,SHA256=E0F50F435DE2602CBA8BF092A1EAF959B8F38655C336D35123302AED5C1B5C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400636Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:52.296{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCEDE4B78E7A3EF76065BCFF62589399,SHA256=402EEC77917E0FC85625286171B4C7856889A1AC25653C5C47288E365BC4697A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455809Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:52.029{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FEED979C017C8E4E49C2EF5992FE4C,SHA256=98BD5E67E165B2C54DA3A91DAAD0C580616FF6069C4FE3BC605811C6DDDE62B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400638Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:51.384{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54067-false10.0.1.12-8000- 23542300x8000000000000000400637Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:53.312{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C003829D0C0A49AF2D88AC920F6EBF9A,SHA256=32330A9ACBC1FF06ED3EBF679AFA644709D162B8E211E694711F0A893DABE339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455810Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:53.046{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D16A8E662BA7AFF1EDCCF3DD2A1448,SHA256=A54D5FC6ECE6E040B00AD8F751BECDC21B1EB33882AF93AEEDFD2D32F801C972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455811Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:54.064{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A0C80908571EB8730FAD3B86219933,SHA256=939B2166962141BED827FB69ADE1A1E840353F9906745C557BE997E2BBCC4EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400639Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:54.312{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB21C9FCAF1F214C5BFB55F650F87A8B,SHA256=E7C3CA2290CA03E900AF510A748D675025B7512909515C3D2F03B9412BDC35DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400640Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:55.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7058477649EF154E6EA5621A8C864B65,SHA256=1E16CD3382A78A614C66BA22F51260ACEE08398757F12E8BBB5AFF32515C76C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455813Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:52.612{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455812Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:55.065{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2237D56F4DBF928479C9BA8233615CD,SHA256=095DB9B024353F59AC96793474835267EE7D23E72242B3EDB32AD721F61678E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400641Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:56.390{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5CB1321EC176132C8E2AE27A058EAD,SHA256=B84D6E3D48CC13545EEB6C028ADB084969C1D553A7EDF2953CB7CE8EEBD5BBEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455814Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:56.080{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3728953C462B81C14CFD2E7BC47C1049,SHA256=C4F4C220B80058FF20D856B8DECFE834082E1264AF05D2C818A7108BCA15A7EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400644Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:56.668{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.47.130-62312-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000400643Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:56.385{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54068-false10.0.1.12-8000- 23542300x8000000000000000400642Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:57.406{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048CCE378E8B2C9FDCAA77E2894EFCFD,SHA256=55032109E754865B8F2821A44FB5BAC0FBADE8A689E2A8B61E130672ED51758E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455815Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:57.094{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA75C805F81C330CD27E6AD5090BCD05,SHA256=797980AABC83001C05C0C5483C49D6FE9979163A5DDE1DA4FB23E15327724D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400645Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:58.453{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8EEBA30F8CCA7EE2FF642EF56FE142,SHA256=73F97DCE1B64BA625BEC91C99523BF3A7C7100693B154C124550D3941497064D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455816Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:58.109{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6C9B80A471E60B60978C15A46EF368,SHA256=5121E83822FB177A477B3BA815CFB4E5B4903794C8073A4BE88908030B4AA8B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455834Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C27-60E3-780B-00000000D301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455833Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455832Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455831Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455830Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455829Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0C27-60E3-780B-00000000D301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455828Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.692{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C27-60E3-780B-00000000D301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455827Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.693{D694AEB8-0C27-60E3-780B-00000000D301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001455826Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:57.106{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.15WIN-HOST-88450889- 23542300x80000000000000001455825Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.124{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7396875A2DFC79AD266840D24E29C48,SHA256=006DD17EC133BF5FC41004FAC4DCD14064432CDED5040A3B21E2B51064FEEF57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400648Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:57.873{7F1C7D0B-B3E4-60E2-1600-00000000D401}1300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-884.eu-central-1.compute.internal50889-false10.0.1.14-53domain 354300x8000000000000000400647Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:57.872{7F1C7D0B-B3E4-60E2-1600-00000000D401}1300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9840:442:84cc:ffff-50889-truea00:10e:0:0:0:0:0:0-53domain 23542300x8000000000000000400646Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:41:59.453{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04442A8D0E81561362202AAE8835DC5B,SHA256=FF0054399A8FAE2AABEDAC87F3278D380EA73D0535D3D97306AA00C41325C5EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455824Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C27-60E3-770B-00000000D301}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455823Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455822Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455821Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455820Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455819Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0C27-60E3-770B-00000000D301}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455818Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.024{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C27-60E3-770B-00000000D301}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455817Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:59.025{D694AEB8-0C27-60E3-770B-00000000D301}1720C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400649Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:00.593{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDCDFDDE8C05AA8F4C50776C9DC612A0,SHA256=331B9CAD932DFFC9DD17C4B028508C3D2360A463FF07D2B7FBCCEE7B3669E89A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455846Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.544{D694AEB8-0C28-60E3-790B-00000000D301}28604740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455845Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C28-60E3-790B-00000000D301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455844Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455843Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455842Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455841Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455840Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0C28-60E3-790B-00000000D301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455839Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.376{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C28-60E3-790B-00000000D301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455838Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.377{D694AEB8-0C28-60E3-790B-00000000D301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455837Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.144{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7EFA72099A206B9428E74D106952372,SHA256=6E359B1228B613FD9643FF404E7C1E52247A64E053E83292DE62B74EBB4F4E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455836Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.060{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=490776EDB69868A5DFF567665E4485E6,SHA256=925833245FAB3BAB608C15046726DC0A1B694EC87DFDFC340CC9232934FF768A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455835Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:00.060{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDED70E7D93F14DA7BC7B2665411C5F1,SHA256=41F5D84219105B08E1CC5C191118258776BE29E4383133EC039CD53047266303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400650Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:01.609{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F734133DB19415AAF6539A5332693D4,SHA256=B6AFE9CFC6435A994234053F1E6D0888B7C36D68836612D30E28ACFF0DA91360,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455849Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:41:58.607{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455848Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:01.390{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=490776EDB69868A5DFF567665E4485E6,SHA256=925833245FAB3BAB608C15046726DC0A1B694EC87DFDFC340CC9232934FF768A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455847Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:01.190{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0C072FF56CC2E28DE32D45DBC69D80,SHA256=E58B39DF17A54BE8149F9AD0BAA66D04343D73F90DC387059F5584A9A9A6516D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400651Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:02.625{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9EC88152B4126EE41533BF61F1B4FC3,SHA256=F6B1436848A1EDC688BAB75A5842AC11019BDF14B2874810A3479EF3287094F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455859Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.789{D694AEB8-0C2A-60E3-7A0B-00000000D301}58081872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455858Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C2A-60E3-7A0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455857Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455856Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455855Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455854Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455853Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0C2A-60E3-7A0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455852Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.558{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C2A-60E3-7A0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455851Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.559{D694AEB8-0C2A-60E3-7A0B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455850Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:02.205{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7EE147641BB157F255625D3F1236E7C,SHA256=837647177ABD487D2B7DDCCD1DCAB654D863DD98774391605EDF7AB903941C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400652Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:03.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483A44A695845037A5253F0389501B29,SHA256=8ED39AC92C0782CDA082E2A87F9AA6B158D392DDD3A3515F60C07648D20FD026,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455878Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C2B-60E3-7C0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455877Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455876Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455875Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455874Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455873Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0C2B-60E3-7C0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455872Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C2B-60E3-7C0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455871Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.904{D694AEB8-0C2B-60E3-7C0B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455870Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.573{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC949048E5E4CD5774B2E1C6006F76D2,SHA256=7BFDEED4990585868BDFA6B64F367115E5FB8DD08A76642B653ECDD51E7844CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455869Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.389{D694AEB8-0C2B-60E3-7B0B-00000000D301}51165688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455868Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.241{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C2B-60E3-7B0B-00000000D301}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455867Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.239{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455866Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.239{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455865Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.238{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455864Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.238{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455863Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.238{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0C2B-60E3-7B0B-00000000D301}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455862Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.238{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C2B-60E3-7B0B-00000000D301}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455861Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.236{D694AEB8-0C2B-60E3-7B0B-00000000D301}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455860Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.220{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7408119E267EAB735A7DE375238D9224,SHA256=3E18924EB61B3603FD1DFEAC054E99F3C6841387B31CC2CF3DF2F92CF4427C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400654Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:04.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2F8BEA6257ABFF2338F35257E39B54,SHA256=DEF0134D3F6C3C39B75A9089F5D4ED7EC35BB9068915544815CBF776F93A2EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455889Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.958{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1C69A2C03BEB66F91763BF4B6F1317D,SHA256=486D5899928FC563581A4B5BF9BE43843CE5F74DB98CE7FB10F6E4F25D6F7B33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455888Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.743{D694AEB8-0C2C-60E3-7D0B-00000000D301}49966416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455887Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C2C-60E3-7D0B-00000000D301}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455886Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455885Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455884Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455883Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455882Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0C2C-60E3-7D0B-00000000D301}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455881Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.589{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C2C-60E3-7D0B-00000000D301}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455880Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.590{D694AEB8-0C2C-60E3-7D0B-00000000D301}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455879Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.221{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C8BCE0E0B0F829839206C36B2D2B9D,SHA256=00270E074E279EF68F9956CE0E758623F74A7DE8E39E0A9D2E9211524810EB8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400653Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:02.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54069-false10.0.1.12-8000- 23542300x8000000000000000400655Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:05.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D25C1471B6724B788D0493BBF06711C,SHA256=E4F5720324FA1D2846DA379BBB390D4EB651F92C4FE64B3D9B4669ECBB29F654,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455892Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.450{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61096-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001455891Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:03.450{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61096-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001455890Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:05.232{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FEB26527F2CA5F138C181EE95C0868,SHA256=90E1997A860876A96104468C07B34735CFB4DF436AC5F65942D90A97D4725442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400656Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:06.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7221DEBD40FB876E4ECC92DEDF8F6CBF,SHA256=CC0791080A0C72E9ECC4455B7339F4D9B65117EA48F9DB9B02188D1236A207C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455894Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:04.586{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455893Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:06.274{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9248A0398E1AC416358665E0C84398D2,SHA256=D09C91B6F94271CBFF4291B27D6E2810D4BCDA4C75D66AD68CEB077540913883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455895Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:07.337{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73744059D905F479EFD80327126DCE7C,SHA256=DD85635A74BCC53D27E3D1981C9BC7D8C85C0572853436A8EF76DF1DA2227A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400657Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:07.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB68DF35624BE636622D9385BFE9AC3,SHA256=AD3D2BEBF5D812641C379C76D43353D0FF6B54AFDDA4FB2D88B2A29176BBA730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455896Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:08.371{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B959BD59F5E19AF6FA6388FEF3712CCB,SHA256=8B27450333A62E096275473C3434E96A1BF2DD882C0111318D7134ACE9B98B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400658Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:08.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7259DD23CCFDA4AEF8790596673E8DDD,SHA256=4BEEAE9CE15F70B08439A1E8AF55588B4BADB85973C1C0C04D2F5F3CABDC823E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400659Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:09.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3825F7063FF625A5DFD36F3807722B1B,SHA256=05CDE41B01A9EA1459B4FF39709561882D43E379ECCB9F682CD39A8D23F1EF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455897Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:09.401{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C043DBC24DE8679BE2703C51BB4E4E,SHA256=35B649CB60F5B6E2B32E1D210276FDF645FBE3DA8F08B035AA04E3E50D56AABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400661Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:10.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B81A92E594EE8F9C6FAACCF5E6C3D1,SHA256=F4AFD0B7DDCA12DD314030A97472FB2C7BE3D4D267337685105E6847FEAE297C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455898Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:10.415{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5A3D665938E4077FAC52EDABB397E4,SHA256=2D6248A90F53DE862D4AD186DF759D219DBAE4C2A29EE19E5F79E91EDA81111B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400660Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:08.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54070-false10.0.1.12-8000- 23542300x80000000000000001455899Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:11.432{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39CB4ED4570CD19AF83E8F3B6F7EB5B,SHA256=50C17F71C177778BF98C3DC74865233759E2759D9766B7D8F5A703DE3E313DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400662Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:11.671{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F505225E5DDCA3B97B71030A72EBF5,SHA256=2021D60948D1A241460B0CD23C29BABB038DD95167052DAF77707998EF702E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400663Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:12.703{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905A984968CBCEE9E97665C23420AB64,SHA256=2C5B1AFCC0A9730A0383F06DCD65C8E3428E1D662A4F3789AF6DFE447BE8194F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455900Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:12.466{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CDFDC77BCAB25201EB29880B592D84D,SHA256=586A1797094C88C8DB9F4513133346F6DECF75D69E49DB5B9A8CFE7217C28049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400664Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:13.765{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1188B64995DDF569106B58BF208B3778,SHA256=482BFA1F49CD596F61BFE32966699D2C99EBE562A2A5183404570976A137A583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455902Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:13.496{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FE07CF3D167ACCD8CAA4E4DEA07D9D,SHA256=CA3A29AE4BD496DC5E994143144FD5684F43710264303EC1810FAE2147BE3F79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455901Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:10.598{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000400665Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:14.968{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26E884B3F4AF5D22BA8C26B2A7437EA,SHA256=A756A65D21C01F2A00745A42EDD025B887A96942C31FD02FEF2A9ED231B4014A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455904Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:14.611{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=844950F5431A8880AFA9E8233A8DCC04,SHA256=2EA5DF00C95CB0498434545F12A45BCBAEEF275EE1A24D2992EF3971447F1D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455903Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:14.511{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3732EAD1E0AA00AF397FD8296D83948,SHA256=3A30260477792F71EC80B2C6F091E3A52740BC62658992710487E4290EEDDB2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400670Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:15.984{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C97F5B8E7308946A106B7F3AF8A5B14,SHA256=E0F0086B58E46D33C1DDA6C48B7919260465FB5BC7CC7075673EFF3962CEED51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455905Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:15.529{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1ED45996B8AA3DFFAE4F8203D7C6B1,SHA256=6B47E1E203169A6FCB2B47475F53C4B2A0A66245661EA61DA0B5AB3CAE3B258B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400669Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:15.468{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FC714E6162493EA2A8AF3A282FEB57,SHA256=4D5C52FBA4ACE731571D5B907816E65C42B0EF73ABF1F99528A3B0A664A315BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400668Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:15.468{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AB7AB11043ACF493A70DF90A727FE6A,SHA256=02BA8B6D51BB78016F8E7BDC94E88BE3CBED7F8E8267696DF2608426E4694E43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400667Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:14.354{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54071-false10.0.1.12-8000- 354300x8000000000000000400666Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:14.192{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-44059-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001455906Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:16.563{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEC9E040F1CA0D34C0FBBE49E6B204D,SHA256=DC10DA11AC346893698FA83C94FF5D55B9B0D20A7F9201C0AD48A0AE24DB05EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455907Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:17.578{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98A5412DC0E9EFE61F207EDE91FEED5,SHA256=8561C1A5B6FD211E73FE30AAD5055E62F76BCCF91B793ED36C87615E284F61DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400671Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:17.046{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7316579CF07E6329946EB4083C336EAB,SHA256=EA60CD09AB7118C98828210EC8EC49AA4AF04465C73BBA31729FC7B5317AF72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455909Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:18.592{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC734ED2CDD046F94E6B58FB8653D962,SHA256=D7BF1F94B313BEEE88FDCD1E61B5632FB2CF53E464B9725C7BAB624F7832A84E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400672Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:18.062{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E72327A419C387C5AF80296384A5C1,SHA256=FFBE2461B6AE4AA082789D0F50AAF9E9DED746ED302BC32CA05D974896225096,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455908Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:15.610{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455910Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:19.607{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9339D6D2B4B0C078EA79CE38C563C8,SHA256=B7D65DEDC4B75A07A314C4E383A24D3C82B873100ABB7EC1B4C2417E01EA770C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400673Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:19.218{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82B50F26AC764CEB6951F06FB9CD347,SHA256=1B4811A882583D3A75E4EDA5E2A93851F5A17E933777C10F406AF02E7FFB5424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455911Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:20.624{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59B80F3B85E41D97B110319FF5A4AF2,SHA256=FC1C96C9E65FEA2D8AF95565736DAEE0FC04C8EAB46C1904C27D3553B97178F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400674Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:20.234{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5E95948B9C95EAF4B9E2545EC2EE4E,SHA256=A49DEBDE7EF5F9A712F8BD283E6C96D418D2DCA588779E382472E96190BB37B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455912Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:21.642{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF3B0E9B0FCB25C19368989C184E286,SHA256=16B61F4442254C131DEC868F903B5F13F53AE03697E85766530BEBE2A67A9B22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400676Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:20.353{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54072-false10.0.1.12-8000- 23542300x8000000000000000400675Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:21.234{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C079DCB508189F0D8D791879F8DB54A,SHA256=75D439867982DA0F10FF012FF324921B4D7A75C083792C0216E9E349DCD0E498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455913Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:22.657{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02146A0B342990CEA62026CA99F9D9C6,SHA256=1EBC9C8DD1FB661BC81ABF47492A2AEF6DF335CCB10DF285D432D07A53C19856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400677Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:22.234{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AC1C715F51139CAC2F9D29C8C87C2E,SHA256=BD5C160ADED136C7B0D4600598A448A30DEFBB9D894E94C61330DF53D00A6E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455914Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:23.707{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3058E3EF15766FF6F42860CBBDB3CB8E,SHA256=5BD185A5010DEE579866B0099C588EBA844F8A65350CEC3CD2B5DE78121BCDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400678Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:23.234{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCC72FF0688012DC3CE4327C3FCF14D,SHA256=2D3343023FAB6B3D143166D10D9DF3B1CDFB196D906B252E9AC0069B22E4B960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455916Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:24.743{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0294F5D83E561081E6AD687CC00E7B3,SHA256=6C27B1D238D6D009FC97ED8F3CD898DF91DBC6DC67E6FC62F41B67AB3F3C5C76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400679Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:24.265{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59DE082689E779A6F9C41C5CBF30278,SHA256=FFCF9FABD1335A09C784CBC6BAE6C5470700617197D385ED96C5A6C6B895249D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455915Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:21.604{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455946Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.858{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4879E9436F01B297E5E4DED102490F,SHA256=D92B87603B9F7EF404B983DA0A3E0EB3D2224E4EA86D929013750E2C905B6F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400680Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:25.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=650C873396F035F556FE47CC77E8470B,SHA256=A80892B3177DC7B1E732488EFBD4101F119A7BE09A905570C778BEF88139BC14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455945Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455944Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455943Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455942Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455941Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455940Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455939Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455938Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455937Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455936Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455935Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455934Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455933Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455932Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455931Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455930Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455929Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455928Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455927Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455926Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455925Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455924Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455923Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455922Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455921Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455920Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455919Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455918Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455917Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:25.005{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455947Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:26.922{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F00FF39F3575E8BA47357B588021FC,SHA256=455229D5CD17192F3FEC8BAFEBF10DB82B5A32CA102BDEDD9210C1598E8AFFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400682Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:26.390{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CAAE02655081EEA6DD75679218CAC6F5,SHA256=A37A9179A438BBA8389F439EDB024B64711C2B2F852A0DDE871D05B2D7A85FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400681Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:26.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C50E3F86B66D1116BC2073E1B68EAD2,SHA256=FDA8AFC1A1C35C960B5BFE59F8F50CE8500C6BFEB08C96A1F72DE982EA2B4028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455948Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:27.941{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83917C32FEA4EFCF239BC768DAE28506,SHA256=B25FDD84AFA2521BFC94B41D6D9DB7518A887C63035C588B3AC81F970C3902EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400683Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:27.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415C6C37AE1F502EE3A159B6FD817426,SHA256=8BC0E5CC1D7C8165AB5857A3D9630AAAEEC600590573A3BBCECF6AAEA98EFE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455949Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:28.971{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFB1AF8AC317DC10C4BE13782FA7D08,SHA256=557B388EA671C91BF4E546B2CAE86687D428311030E929CF7D4927DD2DFFF67E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400688Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:26.385{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54073-false10.0.1.12-8000- 23542300x8000000000000000400687Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:28.312{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB034550129E24AE5EFA3E8981DE2BEF,SHA256=4C1D9DA571C575C5762D27DB3CC6A3C1105E5B650BA95EE576FD0DC8234300AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400686Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:28.250{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400685Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:28.250{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400684Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:28.250{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000400691Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:29.828{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=904422C45F7C84E978E964094175438E,SHA256=4E52A127F0EAFABE38298903EBA1A87BFFF953139F7266E2D39FEF540F2AFFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400690Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:29.828{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FC714E6162493EA2A8AF3A282FEB57,SHA256=4D5C52FBA4ACE731571D5B907816E65C42B0EF73ABF1F99528A3B0A664A315BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400689Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:29.328{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE02428295C95E008160CA987645AF8,SHA256=69B91E58D5159899F961A06FC4C0CF0DE9B5B4BE8264D3303875FEB7D6708422,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455950Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:27.569{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000400693Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:28.724{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-53358-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000400692Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:30.343{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD086CA54305473AC841626EC1EF01C,SHA256=2D3C234F4FEA87401F5DEB59C8661A236A6202EA3A9926DEDB677DAD63309F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455952Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:30.786{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455951Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:30.001{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907508B91841A60FE7FC439F3408231B,SHA256=868F2103FCC387DB8F4D7F5DAFC1967E2F1F52D40CC4AC35D8CE7058BE88CA8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400695Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:31.453{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400694Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:31.343{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C3ABFDCAA084D87BE6A777E6856129,SHA256=553FA8DEE7F8F565E63A5E54292B26BBC4D62E6FE80801013F70CA0F171CB296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455953Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:31.019{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E356F09E879330CD25219F12ACECFF4,SHA256=F02A8496B751D1A4134A3D3453440BF7CC0C4384B39DD2F06FA05799727083DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400697Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:32.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55742DAF8029AAC610254C66DB93D006,SHA256=778B0B12173BB7C471FDAEA40113F07171E49B58C5853BE3EBE2FE4129E2B981,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455955Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:30.217{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001455954Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:32.037{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A1324320A70AE434D1660C85BFC1DD,SHA256=6A0C6018B9FEE4F62EAEB63CEDFF47BAC79C4DFA7B6390210A9A02276B92EAA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400696Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:31.400{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54074-false10.0.1.12-8000- 354300x8000000000000000400699Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:31.650{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54075-false10.0.1.12-8089- 23542300x8000000000000000400698Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:33.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE87E3F9EDB47A607270251602288EAE,SHA256=A8D93FF24997DBA1DCDA6698A01C30848AF6294D65756934AB79B3528CD54A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455956Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:33.052{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6C86E28F5A30B35118AC8A219E5594,SHA256=115F9A2FA71D105F11D443EF3BA51A3AC0B02D31ADE6D9EEEBE23D75B7774646,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400714Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.703{7F1C7D0B-0C4A-60E3-E60A-00000000D401}6523896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400713Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C4A-60E3-E60A-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400712Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400711Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400710Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400709Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400708Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400707Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400706Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400705Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400704Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400703Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0C4A-60E3-E60A-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400702Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.515{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C4A-60E3-E60A-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400701Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.517{7F1C7D0B-0C4A-60E3-E60A-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400700Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:34.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1735152E22B9E08733ED59A4EF1B9F,SHA256=802D630F115E6A4D8FCC7637C190710DC5E3F376B08823976CCC7A3411E0F32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455958Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:34.081{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5825AA466B80B659164924F5D87705,SHA256=0CA2B3583EF3DCCA5C27305A3704D45110512178CB6D8DE4FCDEC8E5B2F538E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455957Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:34.050{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7CB48C532A85D953DF83C758E8913755,SHA256=59BAE2FF9756E4095744CD37236F88DCF2EBFE4C2E8D9A16D4A2FBC1AFCC769A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400743Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.859{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C4B-60E3-E80A-00000000D401}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400742Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.859{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400741Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.859{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400740Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.859{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400739Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.859{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400738Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.859{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400737Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.859{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400736Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.859{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400735Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.859{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400734Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.859{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400733Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.859{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0C4B-60E3-E80A-00000000D401}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400732Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.859{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C4B-60E3-E80A-00000000D401}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400731Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.860{7F1C7D0B-0C4B-60E3-E80A-00000000D401}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400730Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B644E45A6B43143CDBC266C0DE50F3B9,SHA256=6ECCF9FE9951F7499595AAF53E8FEF775B78CDCDAA2EE89035D92FF2C3138704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400729Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=904422C45F7C84E978E964094175438E,SHA256=4E52A127F0EAFABE38298903EBA1A87BFFF953139F7266E2D39FEF540F2AFFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400728Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FB2CB9029227F6163D73051B2BF8FB,SHA256=5690FBCA5D21757ED775E781950CDF780FECB50DFDF48E93BA62DBE9ADC763BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455960Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:33.596{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455959Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:35.097{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74D1B3993EF6A58C70CDFB9D79A0744,SHA256=35F8D0EE1386A773D00029A8CE74DD32D6AE04B8978EE47328EA14A3C4F314AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400727Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.187{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C4B-60E3-E70A-00000000D401}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400726Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400725Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400724Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400723Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400722Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400721Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400720Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400719Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400718Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400717Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.187{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0C4B-60E3-E70A-00000000D401}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400716Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.187{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C4B-60E3-E70A-00000000D401}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400715Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:35.188{7F1C7D0B-0C4B-60E3-E70A-00000000D401}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400745Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:36.906{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B644E45A6B43143CDBC266C0DE50F3B9,SHA256=6ECCF9FE9951F7499595AAF53E8FEF775B78CDCDAA2EE89035D92FF2C3138704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400744Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:36.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D573FDF6ADA0099C40BA25D86D91D3,SHA256=2EB0F0073050CC2DEE728E0D7BE7E156B3FE1D5B0EE2FB9E1D83EA2F29FD603A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455961Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:36.114{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31048A5019030F5624172A3302D8DC3,SHA256=2117D9AFBEA3B863FC21BF3C80DA6D7A51756BA4F8BC0B92AA6A83DFDBEBE26F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400746Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:37.765{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2981F3B64F674B2BCF2F48DF4A3E52,SHA256=7F8D149F408330A602F4A65C670A2F664EEF68CB1AC012D2F3C5EBA4B14FC497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455962Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:37.132{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD3691783AE77F432854F8AB8C9443D,SHA256=B9CE8A410BB1FA3A314B4D16452A8F10EAFA14E59A3AA7E474811587523A2B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400748Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:38.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE2BEB091400108E9428212615DEBFA,SHA256=713EF34159AFECD4B18143FABB1FD1F0448795C6043816118E7EBD220970674D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455963Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:38.162{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B5B5E2FA74F51AD9EF0494FDD9FEEC,SHA256=85834EC02A0EA04B4F69AD9C37737F746696C61C824EFCE02244A36F18DE4E69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400747Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:37.416{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54076-false10.0.1.12-8000- 23542300x8000000000000000400776Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6999511D9A02798F753EE4DBF4AE089,SHA256=F4FB986293A1A297DDE0874474622CAFCF3AC1A23E485568E1FE4C814778EDFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400775Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.843{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C4F-60E3-EA0A-00000000D401}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400774Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400773Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400772Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400771Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400770Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400769Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400768Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400767Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400766Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400765Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.843{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0C4F-60E3-EA0A-00000000D401}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400764Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.843{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C4F-60E3-EA0A-00000000D401}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400763Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.844{7F1C7D0B-0C4F-60E3-EA0A-00000000D401}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455964Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:39.192{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC42C292EDF97794E58F4E87FA42AB2C,SHA256=66EB5207D406B9FC2F3F79DA80D24122BE8D485B5F981B6EFA29BCC3F3FE2300,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400762Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.343{7F1C7D0B-0C4F-60E3-E90A-00000000D401}9323632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400761Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.171{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C4F-60E3-E90A-00000000D401}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400760Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.171{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400759Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.171{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400758Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.171{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400757Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.171{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400756Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.171{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400755Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.171{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400754Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.171{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400753Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.171{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400752Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.171{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400751Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.171{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0C4F-60E3-E90A-00000000D401}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400750Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.171{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C4F-60E3-E90A-00000000D401}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400749Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:39.172{7F1C7D0B-0C4F-60E3-E90A-00000000D401}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400805Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.984{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4E430D3D402883566DD3DB0F12BE14,SHA256=A50E3D7AF8C0BFA599904084535C0DC4E7D9DB68FD076B9C59E559CB269F12ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400804Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.843{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C50-60E3-EC0A-00000000D401}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400803Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400802Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400801Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400800Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400799Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400798Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400797Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400796Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400795Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400794Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.843{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0C50-60E3-EC0A-00000000D401}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400793Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.843{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C50-60E3-EC0A-00000000D401}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400792Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.844{7F1C7D0B-0C50-60E3-EC0A-00000000D401}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001455965Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:40.211{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D578A7CEAD732A9D986B41DDC305454,SHA256=695E671C9F189801E820925201A3D979D851B358C563BA6AC9813718DB2A1B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400791Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.343{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C50-60E3-EB0A-00000000D401}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400790Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400789Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400788Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400787Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400786Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400785Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400784Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400783Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400782Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400781Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.343{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0C50-60E3-EB0A-00000000D401}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400780Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.343{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C50-60E3-EB0A-00000000D401}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400779Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.344{7F1C7D0B-0C50-60E3-EB0A-00000000D401}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400778Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.250{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82296C52C9B1898C1F31694BAD971993,SHA256=2FD18FD5040DD38AE30093A38AB3178023B008A163026D17696B88C23CEA9EFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400777Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:40.126{7F1C7D0B-0C4F-60E3-EA0A-00000000D401}36681328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000400808Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:41.845{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96C91864C8742FBA5C00634EB470D50,SHA256=7C94364DABC138F93EAA00B63DF13836C20B327D8435AFDA4DA637BC7D81CD64,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455967Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:39.639{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455966Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:41.230{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F1F4B68873CB204EA7A92FA9C3326B,SHA256=937B5892A9DF4EA93BAFFD4989A2BA8BAD399A0AF8867ACACFF5AD422110DE41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400807Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:41.406{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42ACF77B1E15142DC2A8035407C01BA6,SHA256=BAE4829D6F15E3C9BE03701488EFC87761A20409429ACD8E89695FC577314BF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400806Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:41.000{7F1C7D0B-0C50-60E3-EC0A-00000000D401}30202576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000400809Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:42.889{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A50AF3159603FDDC98E108DE06FED51,SHA256=84CA29FB25FF2E5B2DD01595A4D448FA4DE396CA3B5985A95DD3932CB9F399F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455968Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:42.246{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD10AD20B9709DC64C2760FEA4A1568,SHA256=F47E3E210AB0B23BE6EA3F54BF1E90D4022F4333DE54A5B9A3D6B3AF220CAE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400810Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:43.907{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9CCFA05FEE5C55981E3D86CA1FA7C1E,SHA256=5763ADD1EEB3F415B7123F712DB0BF4B057484B9DA86B0E68FE3316C81C48759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455969Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:43.260{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFAFBB729B857738D85901156E27BBB,SHA256=D540A8553606EA5B6400D39C591937AFFB2BF806287CA0746416D6E17E2C95CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400811Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:44.985{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D666739BF8B33A339C6271AEAC06FE24,SHA256=678DAA6E9949E1090B29835075DE2369AD7B78F9B2899DD32B5A3C270A90B47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455970Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:44.275{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD49056867BA8FEB638BF9FA087BAC05,SHA256=9088CD150346AE1FB13AF61F34C1C5C7CC97BB5876E3B174A36368B5A5AE3702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455971Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:45.290{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E952C109204A623B9F64D898A41EFA60,SHA256=21E1B70FA65F542B6C9AD072C9E04B65264E0BB7B3447BE83D8579BE46A48A3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400812Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:43.415{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54077-false10.0.1.12-8000- 354300x80000000000000001455973Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:44.652{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455972Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:46.308{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE53386E3247CFD1BEDDBBE76DD26BA,SHA256=F4C97BA02C02AB78E9F8311271AFC642002F93CB59BAC9D183A0C0612F25260E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400813Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:46.001{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0781969D22E594AF8A19965EBE0DE562,SHA256=59406882DA76F3D5099BC8A50569B17BEB9644DC3F7C957D3D80C124C8F1D96B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455974Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:47.326{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAFEDADC2D55F30FAEC8C620DBA6292,SHA256=F3763BC92598D44741A813F5854ADE7048DF91B7DA5ABEB341AAD024952E711F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400814Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:47.032{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BD5D839F24670F0FD1DCCFB108FFC6,SHA256=40565F037095C738F7C1034491231751771B0D29C807FC62A173017718BE7FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455975Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:48.341{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3B5AAF060B287B56AA440926186DB1,SHA256=7C45C3D4C8CE15A69D310121905E4223185308CE664D1604EAF1A9895E7DE168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400815Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:48.032{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82323948B757E6960805359CC06CA4AE,SHA256=1F6EF6CCA2C77402EE4EED72A55ACACA58F96E77F756926C066F6420CE9ECB59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455976Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:49.355{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C864A1098A20C72DE50F12515177BA14,SHA256=11655D0000D0DABD8E50E49E59215BEB04AD052FBE49DDDACF1D6342275650E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400816Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:49.219{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F704D38709B0F57F55F90A32E1EAF44D,SHA256=E798F76D7AE0400A49FEF83AD57D063E90BC066F8241D3B30D9934048833CCA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001455980Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:50.470{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455979Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:50.470{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455978Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:50.470{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001455977Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:50.385{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5EF311E670E649CF5B3755DB61C231,SHA256=09D3B27EE636A2ECAFCDA48A0A4673C918DF958580DCFC584996B60B463B3964,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400818Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:49.417{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54078-false10.0.1.12-8000- 23542300x8000000000000000400817Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:50.313{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F3A6E5F80231A4B0B4B43B0E0E6E6C,SHA256=A9D2A1E5099B8D566DA713DC38A234D27B0B1163EB65EF0B95F65C9B73F55F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455981Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:51.404{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3281FEA7E1C890232F90D9A294B6A7,SHA256=63F48C1400E1D49CD431ED539916C3D92EFC4A180C1BF3926223E08EF506F40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400819Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:51.344{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65576C920E3211ADCE1B6E2B5FF8CE1E,SHA256=79DD3AD89A1EA71526CE580704B84834509F0649F954C0D3E0FEDD72C91FD069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455982Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:52.420{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41D2A709B2C23486FA36496F0E40284,SHA256=BE513164D5ECBC68F92924F174F98C7981245F6020E9A4AA6183683F70BDB495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400820Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:52.438{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC883E417E677E007E51A3FC6CCC8DB,SHA256=615D1195DEF5FEFBC8EF48EB7AE908B09685E30D7AAFA856AC3C88161B9B31BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455984Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:50.647{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455983Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:53.450{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5F60C36C6B280B1BFF6C0741DACC6F,SHA256=1930F0F5E074FD1675FF53FED2850D74F51EC0A2B42EB2B8A913AD1EEFB4021D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400821Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:53.438{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CC7D4B3402BBFA5F22C60B88AA7439,SHA256=D092C9A008E9F43CC03CFE53441F71471733AE07EDC9D7DBDD43667FC2769985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455985Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:54.480{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B6454A392F3C68E152B9760CD7CA17,SHA256=DB927FE5A267492ABEDC5FFBBCECCF40F39EA1B0ABB6687882F88937007A9B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400822Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:54.438{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA3B4566FB8C5B2E1D7E2DEA5315C68,SHA256=0C3FAA7E84E200EC9CB392A2D4C0BBF63EA39CE3845CC004AE251D8E6FA85A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400823Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:55.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081FC6859CE8A0EB049CAF0AC8AECB5B,SHA256=9562C348D1D91B2A101386C4F676B732F5E9D7E324186A92B5B030E572495A76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455988Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:55.498{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDD31BB48268BAE0D84A666D1CF13DB,SHA256=38641354BF688C74AA3A191D5E4BB0C18DB5FBA2CC8637584747CD87EF791A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455987Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:55.316{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99F39453D45C05520C036D1B5D0DDFF0,SHA256=C1610549E11BF707869368E6866BFDE555BD262DB02B463DBBD698D50C843F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455986Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:55.316{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A10B92E090915819934F80BB32A6046,SHA256=C9F4CA564336F9455FB75AE69BD908F8E95769D4708F3B92C4B2D517DA96CC9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455989Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:56.516{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E618C941F6D7610235B55C1B5FDD499,SHA256=495DF06913FEDD27C30A5EEF73F20D6CDAB2EF1F0EB2C3CC990C37B22D1FEF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400825Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:56.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F942BACF8D3D24531AE7BB72B61930,SHA256=06FAD7223D86EB0660DE0A2FD4C1ABD12DF8A28FC0E27DF40BDAE59DD8BC3CBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400824Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:54.449{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54079-false10.0.1.12-8000- 23542300x8000000000000000400826Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:57.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044CAB602FB459A44F91CB367DCB052B,SHA256=34BE09086CEC7156ACF7CD102E9CEAB246ADDBFFB62A22DC4E7B3C99BCBFD69D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001455990Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:57.531{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16557E3FFE0F6EB195AF752215F94FB8,SHA256=087FDEF998DFCA1F8662ED646EF9EC0373D31AF5B56805BDB83B1C5DE4A3BDA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400827Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:58.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBB6D553F5A1B1A53214E027DA5E877,SHA256=442B0867E8D9FECD7626B16938612BEC72CFDF8E7AE71C7D34C434FF80FCACE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001455992Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:56.640{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001455991Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:58.545{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC6670FA03C8A2C679C9850DC8F4880,SHA256=C0DAD39EEDBB36C5565BBC5997BE0763C4F411909D3C08E549836BF2BDC34220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400828Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:42:59.485{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EA72771F7D8BF6446675D2303A437C,SHA256=4A1E33E7269DDE149323941FEF789CE15AC70C8410CFC8066DB3C9485F23DF70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456010Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.729{D694AEB8-0C63-60E3-7F0B-00000000D301}17961172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456009Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.596{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C63-60E3-7F0B-00000000D301}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456008Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.594{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456007Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.594{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456006Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.594{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456005Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.594{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456004Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.594{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0C63-60E3-7F0B-00000000D301}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456003Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.593{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C63-60E3-7F0B-00000000D301}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456002Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.592{D694AEB8-0C63-60E3-7F0B-00000000D301}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456001Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.575{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF21CEA5913484EFF665D8892BE6572,SHA256=FC2AAE5202FFD18117DF373B0A14F6F6A78B603D72A93CE80C5C9CEF86B0B457,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456000Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.029{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C63-60E3-7E0B-00000000D301}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455999Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.029{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455998Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.029{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455997Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.029{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455996Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.029{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455995Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.029{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0C63-60E3-7E0B-00000000D301}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001455994Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.029{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C63-60E3-7E0B-00000000D301}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001455993Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:42:59.030{D694AEB8-0C63-60E3-7E0B-00000000D301}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400829Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:00.501{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1D0702BFC76BF4576DB7052C0A19F0,SHA256=E822B97AA0CCA3B4367070D7F8BB7AF05619885CD321170517451FD7E9696587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456020Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:00.597{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CAAFBD42556517B5630762BDB0D6F8,SHA256=BC53D29A89981EF3D57A2429E074A294951CBBEF3E338026AF45286DCB8EEEDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456019Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:00.260{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C64-60E3-800B-00000000D301}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456018Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:00.260{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456017Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:00.260{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456016Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:00.260{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456015Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:00.260{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456014Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:00.260{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0C64-60E3-800B-00000000D301}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456013Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:00.260{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C64-60E3-800B-00000000D301}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456012Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:00.261{D694AEB8-0C64-60E3-800B-00000000D301}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456011Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:00.045{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99F39453D45C05520C036D1B5D0DDFF0,SHA256=C1610549E11BF707869368E6866BFDE555BD262DB02B463DBBD698D50C843F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456022Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:01.612{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD4712DA8866BDC12AC5D130A15DACE,SHA256=1F542EB2B46442B1EB7B3193A85B453699068A5F1A02E0EEF2E3F30A278FD3C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400831Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:00.292{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54080-false10.0.1.12-8000- 23542300x8000000000000000400830Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:01.594{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6135520B056DC40ACADAB61323A5497B,SHA256=B6C494D8EEEC0DDBD635E05481155C5FC84B35B8B8488C1C389DAA5562931803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456021Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:01.275{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29458469325753A0EDAC2D568A4504E5,SHA256=D194765B4715B98A2FF44AE9E0B0AE522C8F2F058CEDC06BD25E19950E4A0FAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456032Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:02.742{D694AEB8-0C66-60E3-810B-00000000D301}24886960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001456031Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:02.626{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03CDD37345CDC45E6E510797404AEDD,SHA256=9947A72572CF64769A8AEE086685713175EAEEB2622D92BCF2040841448F49B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400832Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:02.594{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D6B0D9185D0DAF63505AA329D46CF6,SHA256=1F850FBD35B1A2D0FA21B253137928772E1248C970D350E85C3D71827B61B4D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456030Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:02.573{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C66-60E3-810B-00000000D301}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456029Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:02.573{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456028Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:02.573{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456027Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:02.573{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456026Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:02.573{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456025Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:02.573{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0C66-60E3-810B-00000000D301}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456024Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:02.573{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C66-60E3-810B-00000000D301}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456023Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:02.574{D694AEB8-0C66-60E3-810B-00000000D301}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001456051Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.911{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C67-60E3-830B-00000000D301}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456050Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.911{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456049Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.911{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456048Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.911{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456047Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.911{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456046Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.911{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0C67-60E3-830B-00000000D301}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456045Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.911{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C67-60E3-830B-00000000D301}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456044Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.911{D694AEB8-0C67-60E3-830B-00000000D301}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456043Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.642{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A53395786DAA5F55AF9DFD6BCE962C,SHA256=5401302FA0ED7CE876081E6E4BC0EF89F5C0FD93A0769D3A895BA93E417E3616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400833Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:03.626{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30AA7C699483C08D08DA454858F7B6A4,SHA256=6268875B6F98EB6AD76C008287C7E4067C44EB7F2116EB85EECA75A36F46BA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456042Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.592{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40D7512BEAAE7C003B999B0951AF96A2,SHA256=5B6205BCCF9DBC6CF8457E2FEBE881885E724704F0D842972595F18054C4AB31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456041Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.411{D694AEB8-0C67-60E3-820B-00000000D301}45964632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456040Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.258{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C67-60E3-820B-00000000D301}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456039Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.258{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456038Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.258{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456037Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.258{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456036Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.258{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456035Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.258{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0C67-60E3-820B-00000000D301}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456034Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.258{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C67-60E3-820B-00000000D301}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456033Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.258{D694AEB8-0C67-60E3-820B-00000000D301}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400834Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:04.626{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA28E89212DE6D4FDC8428D46A9CEA98,SHA256=4DE8CF067FFFA64FA82E4F1C44604A5E9FD099AFA4B31E138C424D3752EE61FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456062Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:04.941{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37741C679E445B1167BDFFD5A30BED92,SHA256=61065ED96291823839CA2EE28D783602564415487375697DB54043760DD2FC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456061Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:04.672{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7213514AF07966EED88EBF1BF6FA96CD,SHA256=67B48BFEDEDD21A9D308C04E108B34E6372482A7F3579D12197626629F5E98DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456060Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:04.593{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C68-60E3-840B-00000000D301}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456059Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:04.591{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456058Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:04.591{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456057Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:04.591{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456056Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:04.591{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456055Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:04.591{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0C68-60E3-840B-00000000D301}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456054Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:04.590{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C68-60E3-840B-00000000D301}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456053Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:04.589{D694AEB8-0C68-60E3-840B-00000000D301}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001456052Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:04.073{D694AEB8-0C67-60E3-830B-00000000D301}40841836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001456064Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:05.691{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89077F34B791231D58D841B5FAF9711,SHA256=FFBE47841E21868FB15A51C169E0E1B64F08ACE0DEB9BCECCF4544B30CADBF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400835Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:05.626{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDC10B85FC86F9B91896EC4D1C36831,SHA256=DC1B2F3F0DE06F57BAAC10458F3A16356B39F979B8B6CD8B01092AFB0496CA52,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456063Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:02.673{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456067Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:06.693{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B14F1B39A03C94F5E85DA05646F754,SHA256=AD7702D64593D53A77CB66FBF252F4A160D7AB582E150415A4F6618140CD6D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400836Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:06.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130EE54E301E275C64FFA705D4E6E32E,SHA256=9B598AA977A3E5CE52DE6C87BEC769F7053FA067222676D802D1A336EBD16515,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456066Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.458{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61109-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001456065Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:03.457{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61109-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001456068Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:07.707{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF68EA4B16C106DFDA39A57548FC67B0,SHA256=2F9F54559CB0F21633AFAA1CCF330FDE07D517190F34E47ED74D1D46F47DA04C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400838Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:06.308{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54081-false10.0.1.12-8000- 23542300x8000000000000000400837Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:07.688{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8024D4FDC5C0E4950196302DD6B0851,SHA256=7F0D91B5EAA72147331352A20D7A8034F72E6D36D56EE54318B5A90AE840D1D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400839Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:08.688{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C60703E506A68EDF41F7304D246C342,SHA256=859AAD6255D7E96447AF0F2C8F59AAFA33259979067540468C6D8D60801E4C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456069Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:08.738{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57FA5B031211DC589E6D85D5707AF06,SHA256=518F1A5B5B963A58C900D83B40E20DC723671F22324CFF6375DAF37B245DBF60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456070Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:09.768{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BBD85ADEA9165B5C87F46590CED55A,SHA256=1C434BF360D84586CE079B86A43EFA398D3091EC232DA07C36C6FBE2156C5349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400840Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:09.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39522D23C7F9B365179D3D4FEB64B5C4,SHA256=74029F8F75744B42B0D60615E9391D77D554337C91A2A8275AD9EEE0453B60FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400841Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:10.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB211F422A94830A902C7BCEC978FB5,SHA256=7585C332CDA0EABAAEF7F0474494583874F133CB9277DC4429D2C99AC0C46615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456071Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:10.768{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4251FEA6863ADDF1B271F4B9F2FB2FE,SHA256=079DA4B06C44820263D8627865FF502B8F63A77D093AEBF8DE1C5C0ED5E4702D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400842Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:11.719{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D28DE5B9EE38F05751C45BD32048F7,SHA256=CB4708FE8CD00CBEAA5C349629E085CE0C4B03CF942D6B5C5F7DAEC9621D795A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456072Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:11.786{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9196B78B4FD5A56FA0565476258830BB,SHA256=A0147061843FCED231A78225776265C1147DC23304F17A53B3B6115FF1B2D65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400843Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:12.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53E73618FD896728A236F14E80150F8,SHA256=68731C54BB396290D5824F5205D13974BF2FD27B36DDE52754C8802A45880CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456074Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:12.804{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0120E388721AD66A21F998AC5B8246,SHA256=1D87E052535A87109DA2C8AC385FC3A3A161C21D72D9ACA823445B6CF6C5A6FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456073Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:08.668{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456075Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:13.865{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3399FA09E5728E41F36BEC6B21CB8EE8,SHA256=5BCF9363E53F1E6B74A3080FF8B4D70AC0ED942826FFE562AF6B1493A2C881A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400844Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:13.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F529DB174C18796BE425759880AE41AE,SHA256=468E52844CD7E3B39716146A2F346313B7BDFB34925EA37C23A046CEAB36DF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456076Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:14.882{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785B50469AC5A9C81A000302E386878B,SHA256=6C10729955D15F4B0460F55740BB305C7DF04CAEF098074C4F23985D835034EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400846Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:14.844{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02219F7148BC6C0707C01322BFD59A6,SHA256=B3DAD96CCA4201C8B28BBE8538E799C60B39EDAACE8354F9A1C1E990A803B513,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400845Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:12.293{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54082-false10.0.1.12-8000- 23542300x8000000000000000400847Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:15.844{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D488E29063AC9CCD5FBCD0A7EA5A61,SHA256=04419FE82F09A61BF867CA080BB40B38B317D1FA76C33378CADF15173A62326E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456077Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:15.900{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CF261492B2ED1C31A05E4323B625E1,SHA256=E31AB8B9F6619E20B0713625C8156CE224EBDBAA9C27311DDF3748B8DA2D4FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456078Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:16.915{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE184E5A2E04C1D6CBBA2A397A6F26CD,SHA256=E7224FC6C134C95BE34E668B387DE419EAAA2DD1B93E74CECDC33BA8B2DD7056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456080Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:17.946{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA460499FFBC9C6600CAE2FDEB4F20E3,SHA256=8143BDF95430C4A3B51CE93AEB0CD81ABD9F324FF6FB4E030FF87863567BB585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400848Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:17.001{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CDB513F33418746B5A8FBF58E00CAB,SHA256=36BD228BD989E39DF82F53283C5FA73E1EC264051E560CFE9D541EC2F1F68F0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456079Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:14.663{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456081Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:18.960{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3A37A90F13C62F1505516E85806283,SHA256=676FC4B85C7BA5B41E954026B4C15358B2726E18EC300CBFBFDBD32C9054E454,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400850Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:17.293{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54083-false10.0.1.12-8000- 23542300x8000000000000000400849Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:18.016{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE21D6B309D40CC66C78012E95B56D2,SHA256=EBAE80AAA7544CB77CCBDFE2CB32856B62FC94F9181A06855B64403E0C579384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456082Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:19.977{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D38F7143578D9E8124EA89EE06ACFCA,SHA256=48884381FAC4E0BFB740A297CAD6C395DC73AF9846CA00A301A71895C0FC29D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400851Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:19.032{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2F0F27099DDCD2E3749ABDF8E0E014,SHA256=752984CB7B5D90CB157A1A950410881432B636D5B8DFDBE12C94D4527D7E31CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400852Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:20.063{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936A00D7647FBB6FB99C53C573D155AD,SHA256=15C26B7B1DF0CDE603D0B9425B5BB9EA51FE8AD41C3263C5520A7F21C1D37649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400853Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:21.063{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70721A940158C994194AA41526CACCCD,SHA256=0E07D0F16A48383C6ED3802C754CB7AA01C0E40DCCA16A1FE00AEC9A5E69DC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456083Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:21.027{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CAA13882577E1BD9E6262E4F8F72B8,SHA256=7EAEDB1A69DF0340FCBF99A510BE57E5045234F4F5412731FEB4106576706542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400854Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:22.094{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B112089FC193DC09E34354C3917986D7,SHA256=961052DB12C32D22B00A072340E2076EA01A61D14B60F5CB87193EA01618A90D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456087Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:22.557{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6F25F172D0A030863F9BF442BF98037,SHA256=F5CAE1C8D8F0629351E619A2B188124AE895C471BE39850F4681408E7CB078D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456086Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:22.557{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=799335B3804FE61DC15224EE79FC1B57,SHA256=C6ED5215C2745C5278E6649E6B8ACFC3666BC92C342AB2FB2BA12C62344D6765,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456085Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:19.851{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-32365-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001456084Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:22.042{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8AF468896FB0F19F469983CAED76D0,SHA256=469FE41F4183512D319A39D5FF0DCC849537AF72D9E539BB8F3B407146AB024F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400855Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:23.095{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13626E2BBAED1934A1318D53A0219E7,SHA256=177A00CE20108DEB07DFA1D462A4CE7781A6D6180FAF8106788EE98148761322,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456089Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:20.705{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456088Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:23.056{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDAA33FEF96FF4EE53FE1FF2D7A9685E,SHA256=1C614EE92DDCEA4CEDA9111E8FF434BEA279BEDF28849FEEE8296DBB4A4ED855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456090Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:24.074{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FAD97A14F0BDA6F6C6360C20EB45C0C,SHA256=17CC4C258D126B196918D092D4B8783DD86BC1F063040473A46B48D624B02663,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400857Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:23.262{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54084-false10.0.1.12-8000- 23542300x8000000000000000400856Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:24.157{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26584B664875A2696BFF8DF873B819AE,SHA256=F693FD4AD4D7ABE6B5812E0816F740C73E633753E92FC4EBC784A61BF1A56F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400858Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:25.188{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDFBCBF203D79505980FA917FC92C1D,SHA256=7FB9ABF4B7FD3A05198516C751A86677278CF497D3A3A2C37408FBAB2287897D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456091Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:25.091{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF02792683B184517EDFFACC04D2BC59,SHA256=211460FB32F94B574878D9C43CCC3E3EFA4FFF3B92CCABFC3AF5C135A6F420F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400860Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:26.391{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=67ED832F5258CDBAF2A65995F419B3B9,SHA256=FD13117CF1F10AF1286F7FC5C87D7D6F1579D751C30A4CD54792038847272B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400859Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:26.267{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDA3B1FAAA12B17E2904AA950075715,SHA256=D9EC06717FAAFBB08C7986E6A35E0F81B1DDB71EE649CF31BBDE4BCC0E2A6640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456092Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:26.121{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6AF541A15E094A7A2B5DD400EE22C8B,SHA256=BF6CD0C4F53A886AF6C004DCB2BA89AE1C7F5E200AE7BFAB5918E0CFE7A88277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400861Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:27.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3988E06419D3F14E91984F87F3D875FB,SHA256=6ECD000C7E16A8F75269FA9792EBE98CBC798F22414DC3E5B0FFA44F0315B13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456093Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:27.136{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44F410A37FBD76C4972EEBF38EC250F,SHA256=BAC25C571A9FC4793B3F2093D0F1B972BA4E85E7134AF2C6A7B1AB2538EC705D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400862Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:28.485{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CE66DF86BE4BA2E695ED720828AF91,SHA256=044FDFD28E80A83AC0B29B4B10822C8C77C97D210A390A7FF6EAA7C6CA378E76,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456095Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:26.682{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456094Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:28.168{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7FB8F2CA6477FEFDC87F94787D0874,SHA256=6BBD738C9579F69CFB5E4742D7F7C20FA3589672AFD8BA520313B8D9E9126A6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400866Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:28.486{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-53735-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000400865Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:29.532{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B10294A8A6A01892560BC12D4A7C759A,SHA256=68827B24B75ECE1A3096423CCF7D05D75D94FA636AD4D4BBDCF4AFEDF9313480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400864Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:29.532{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0E87ABEA222B61CF804B2F3C91F9861,SHA256=0A1D9BDD0D9A9BA6FA820721C85C134F962C7A9B059E1B9F5180BE3A60CE443B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400863Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:29.485{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5023E27AC7FE54BE6877749F6C4CEFE,SHA256=400C7BF8CA6521E172A5C297736A5C88B75E6FF3F54D60433E274E02F14ADAF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456096Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:29.186{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9117C9FF467F97672D91F955FF1874C9,SHA256=5EC2A1AF8EE172A90B70884F514F0C98B50669E1F778115732E076A4E86AAA85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400868Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:29.280{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54085-false10.0.1.12-8000- 23542300x8000000000000000400867Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:30.532{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B231FBF57E576EA28BBE6FAE07714154,SHA256=426597DBFBD17D1E57707B2957A914DE36F0782483E423983BBD8CC7EF9BFA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456098Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:30.816{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456097Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:30.201{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABC9D0A6B50D2FBA205D188A946832D,SHA256=68144B0A8706C17DE62BC3A60FD2395A6D81F812941E9E5A8D41EEC9F845E3B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400870Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:31.532{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9016D47DAA091EBEDAFFBB46CEEE5C24,SHA256=3CE24C4412B25BCBEBE2B85FFCB56587E73F307FF3AD91035F5A206A21CE6995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456099Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:31.247{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA257A1C23B4805E53743836414CD43F,SHA256=E64A9FF9036D807B52F7E88D94E657819C3311703202AEED2487CD382FF1DE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400869Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:31.469{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400872Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:31.668{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54086-false10.0.1.12-8089- 23542300x8000000000000000400871Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:32.532{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E58D9EAAE10E6E0CDD64D11DBA4629,SHA256=7E38785E266E620AA54DFD0983107F79979296983DEDBBF65EE18C3A3F9B57D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456101Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:30.247{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001456100Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:32.264{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31130081753CFACAA652F81B7C14C898,SHA256=6E90A6AE1B116082149ED2925DB1CD841D64F8F4B42EF2036812D0E1F150CB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400873Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:33.532{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371217B7EED2B233ECBC69FF3F44DDD5,SHA256=7AC9A059C5BDF42B4B174835C28EEC8881BB6A393E444A206FFE50E1D559B474,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456113Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:31.692{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x80000000000000001456112Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:43:33.397{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001456111Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:43:33.397{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x015a3332) 13241300x80000000000000001456110Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:43:33.397{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719b-0x5d0a15d9) 13241300x80000000000000001456109Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:43:33.397{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a3-0xbece7dd9) 13241300x80000000000000001456108Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:43:33.397{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ac-0x2092e5d9) 13241300x80000000000000001456107Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:43:33.397{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001456106Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:43:33.397{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x015a3332) 13241300x80000000000000001456105Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:43:33.397{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719b-0x5d0a15d9) 13241300x80000000000000001456104Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:43:33.397{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a3-0xbece7dd9) 13241300x80000000000000001456103Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:43:33.397{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ac-0x2092e5d9) 23542300x80000000000000001456102Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:33.297{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF363E7C3C8F80F1CAEBCDBF9BB26C8,SHA256=CB502F1AC9353F67DA22A8D7FC17FBE7B40EE3CE17D0E610A8458169B28D5715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456115Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:34.312{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C788FAA0843C47630651551C6E847C,SHA256=BC97B95AE938D8DE3BFC2A2E9C329358BF3596EF7A52620AE81E31BBC6983795,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400887Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.532{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C86-60E3-ED0A-00000000D401}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400886Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.532{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400885Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.532{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400884Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.532{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400883Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.532{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400882Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.532{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400881Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.532{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400880Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.532{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400879Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.532{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400878Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.532{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400877Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.532{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0C86-60E3-ED0A-00000000D401}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400876Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.532{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C86-60E3-ED0A-00000000D401}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000400875Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.532{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1177558ACD29EE3C6581BD322FB5F2,SHA256=C5C9D82DE53F675B17E110E50EE456C9BE0E6B76D4C165A8AC1B2BF1D26C5BFD,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000400874Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:34.533{7F1C7D0B-0C86-60E3-ED0A-00000000D401}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456114Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:34.060{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5D83F08692E979B32E64A8DB0899BFA9,SHA256=DF1A24F0F98F2F9A5ADFB2D7D8C01B2E621D824566F43E6ABB1C53F0EF9D64A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456116Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:35.327{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E177FFCBB3814DBF1AC65D6B912DA9AD,SHA256=939E8A6013473D1202AC5D77259086F3BBF945856E70ED2D0BAD887C8AD9C891,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400916Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.876{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C87-60E3-EF0A-00000000D401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400915Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.876{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400914Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.876{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400913Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.876{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400912Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.876{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400911Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.876{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400910Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.876{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400909Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.876{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400908Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.876{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400907Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.876{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400906Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.876{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0C87-60E3-EF0A-00000000D401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400905Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.876{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C87-60E3-EF0A-00000000D401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400904Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.876{7F1C7D0B-0C87-60E3-EF0A-00000000D401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400903Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.594{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209BFC49CEE56491B712B27E99D52961,SHA256=237178A9E01046319220E9CFE41D192D4B699FBE198254F0AA14045707A87866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400902Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.532{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33C520FA282230AB83B40B6EA75FAE8A,SHA256=DCFB9A4F05AC56C18F50DBDFED579833670BE601DC2E79F9A5CE7A9041EB3F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400901Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.532{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B10294A8A6A01892560BC12D4A7C759A,SHA256=68827B24B75ECE1A3096423CCF7D05D75D94FA636AD4D4BBDCF4AFEDF9313480,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400900Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.204{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C87-60E3-EE0A-00000000D401}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400899Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.204{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400898Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.204{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400897Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.204{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400896Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.204{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400895Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.204{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400894Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.204{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400893Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.204{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400892Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.204{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400891Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.204{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400890Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.204{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0C87-60E3-EE0A-00000000D401}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400889Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.204{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C87-60E3-EE0A-00000000D401}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400888Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.205{7F1C7D0B-0C87-60E3-EE0A-00000000D401}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400920Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:36.876{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33C520FA282230AB83B40B6EA75FAE8A,SHA256=DCFB9A4F05AC56C18F50DBDFED579833670BE601DC2E79F9A5CE7A9041EB3F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400919Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:36.548{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF797068C95CB452A0349C2E1169C5ED,SHA256=DF078F29950314D6D8EA9523AA051D06A10AEB4E19FA34462774657F66E2BEA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456117Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:36.327{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B6232151241A78BDD8D0FD0C47733F,SHA256=AA5D78CFCC4B7312F77CC41B96EA3614AA58DAB8855CE7732317995549FA0960,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400918Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:35.262{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54087-false10.0.1.12-8000- 10341000x8000000000000000400917Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:36.048{7F1C7D0B-0C87-60E3-EF0A-00000000D401}7601232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000400921Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:37.594{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B894AB043395DFDD678A0329C1B2D44D,SHA256=D49E5433968976F409AAF2F325C533AE5DA256643A29F0923377FDC35511E2CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456118Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:37.360{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A368576858CA94CA437F7FC4502E165,SHA256=F0AC269E78FC73C05A20F5CDF4D9D0764B8A3813CFCF22848C0236E83818F0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400922Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:38.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE87B93543972BBB83447D41A1C9571D,SHA256=DB5F4E1009AF8C6E5F08E33D5CE63180C55775F4D9D2BA0EF2FA231658893A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456119Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:38.394{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D2F54A01B0A9FD334B077A3478C30F,SHA256=D0603D8CAABA538DAC56C51DA0A0830513D65F7FE7389345ADAA86B9718D5F64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400951Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.844{7F1C7D0B-0C8B-60E3-F10A-00000000D401}15483428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400950Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.673{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C8B-60E3-F10A-00000000D401}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400949Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400948Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400947Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400946Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400945Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400944Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400943Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400942Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400941Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.673{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400940Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.673{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0C8B-60E3-F10A-00000000D401}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400939Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.673{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C8B-60E3-F10A-00000000D401}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400938Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.674{7F1C7D0B-0C8B-60E3-F10A-00000000D401}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400937Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37EC7023E94348771AD0320B899371C,SHA256=7A8D06A839108C5297A2D5852957EBE0EFCCA0755150AD99E1A7DA348F5DC902,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456121Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:37.703{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61116-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456120Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:39.424{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88ECD21D1CAE157C3F63E08444E339D,SHA256=8A822E958A4882F8A74C58F77F3C7FEA0F966DE864D4F838D9BA0C4DF52F5281,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400936Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.439{7F1C7D0B-0C8B-60E3-F00A-00000000D401}6562732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400935Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.173{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C8B-60E3-F00A-00000000D401}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400934Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400933Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400932Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400931Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400930Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400929Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400928Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400927Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400926Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.173{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400925Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.173{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0C8B-60E3-F00A-00000000D401}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400924Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.173{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C8B-60E3-F00A-00000000D401}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400923Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:39.174{7F1C7D0B-0C8B-60E3-F00A-00000000D401}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000400979Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.891{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C8C-60E3-F30A-00000000D401}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400978Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.891{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400977Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.891{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400976Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.891{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400975Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.891{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400974Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.891{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400973Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.891{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400972Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.891{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400971Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.891{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400970Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.891{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400969Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.891{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0C8C-60E3-F30A-00000000D401}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400968Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.891{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C8C-60E3-F30A-00000000D401}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400967Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.892{7F1C7D0B-0C8C-60E3-F30A-00000000D401}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456122Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:40.439{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FBF451FE7CD6ECDB7EF0903A2A6EE4,SHA256=165B81FCBE387301B835837FC2B0200B77ED1161375B4E1C9E51774E3541A2F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000400966Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.376{7F1C7D0B-0C8C-60E3-F20A-00000000D401}8561532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400965Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.219{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0C8C-60E3-F20A-00000000D401}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400964Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.219{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400963Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.219{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400962Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.219{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400961Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.219{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400960Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.219{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400959Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.219{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400958Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.219{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400957Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.219{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400956Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.219{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000400955Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.219{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0C8C-60E3-F20A-00000000D401}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000400954Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.219{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0C8C-60E3-F20A-00000000D401}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000400953Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.220{7F1C7D0B-0C8C-60E3-F20A-00000000D401}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000400952Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:40.173{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F52C7279D69039D28B3AAA8B187F1F4,SHA256=1DE98F18E2B42D9D13F2431D4B97A5B8D3DB6F68B4D05E9952B0279907D7F829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400982Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:41.891{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82B84732C1739154F24651E8539CC44,SHA256=66273A3DF9CA9C172D5094E146328ECCA6674C8F2C1C5DBF49E4090A0D6910AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456123Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:41.456{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D41C262772EEE6BF5953A630C3586E,SHA256=16F6DCC81EFCF52F6C21379B3873F8C2D60662067E62972F0368DEF49182A879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400981Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:41.360{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9710C0928800829F5C341511E5A2C89B,SHA256=DFABC2E47C3FE1744D1B581DE828F636779376DE3A17287F51C116C7012EAC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400980Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:41.360{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505B4C824D37279A10E701419106BBFB,SHA256=E21DE659AD24BC16AD46921ECCF5755BBA46C8F7658B0E60500E00785C5B0542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400984Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:42.909{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34E52718D39EEE853C415F7BF009C7E,SHA256=59AEB4C5D18618D0B0EA313CFC4FD46239E034CE1A16BA10E0FD710D285670D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456124Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:42.474{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250A009714A6421B4148D6E2A378D9E5,SHA256=A2B54E67C3B55FFDE013ABF0F1B244334112232C649A4E60A505166A261B1494,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400983Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:41.246{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54088-false10.0.1.12-8000- 23542300x8000000000000000400985Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:43.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8755F5EB61A461AE0C209F0212864ED,SHA256=418C2470EBB63C1221CFB14E41E193D82150FE74D53FF2CA4991C3B5F6DA6629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456125Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:43.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA9F875798339EEC3A8AD24CB41F4A5,SHA256=BBE4C8120B5D8A54158D845789722FDCBE772D33E3CF7765D39649F450925DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400986Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:44.930{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D271957A51F42C64DA2DB6BB1AA5CE3A,SHA256=E303BE68823CE3C9B52960B13461205E621873A6CFCA03A36B26699C36BA3408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456126Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:44.503{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1141CD5364A234149F80BD87D5D603,SHA256=0607DF7AABBDDDCF6090D3751CB74D5A644F22793C91FCBC08F4F7C2D69B10C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400987Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:45.930{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D12CA9FBF45B88318B8E9621097FE88,SHA256=04A16B3D386E44DA638A17390B6C59EE2548A2BC778EDBF3C4863E556B683788,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456128Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:43.450{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456127Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:45.518{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A053BDBA28FB3DBB14D978C91422746,SHA256=1A7EB4B335C6C670CA9CEBF5BFB1A8EDA55AB3D41BBD73529A983984568D85B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400988Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:46.946{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC80331D32C052568906D601404422A,SHA256=37FE35B24A698F6C288C64518449AA4FF32FB2F7459C680F301395A06D179EE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456129Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:46.551{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF2199E5BFD72812F8FA4C4A18EE295,SHA256=0398EBDD567F994BEF73E7071A1E419992953294601A42EC3C06F70A2D23BA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456130Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:47.569{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834E17D42B3489E764F1317371D98493,SHA256=B8C6BD09D04F02BA6C17D98D6CAAB4E5A4FAEF2E076C72DDFAFEEABCEDF36A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456131Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:48.583{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8A5CCA83ED7B40D655C494839C232D,SHA256=FBA7E47523E9F1FAD48100344663FA7BED0999DBAE3543E5A48FC6068446088E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400989Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:48.165{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA94138AD5521808C4F718925CD12D3,SHA256=E7A90544C76454C1D37C43E9A5AC870585C56F5209248D662A9CC33CE5B0C7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456132Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:49.598{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28ECB6A18E65A831232E486D33617D92,SHA256=636616C51E78D5D8DFECB798E250180001D91C96A807420FCD7AD9451E341E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400991Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:49.196{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DA5F7DE6EF3B1EFBAA239C59CD09EB,SHA256=1AA75982763E48E152CDD14B6990741CAF153F8D8DCB52785937B008FE16BF95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400990Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:46.457{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54089-false10.0.1.12-8000- 354300x80000000000000001456134Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:48.714{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61118-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456133Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:50.613{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379B29D7D65852196EE6C5FE9F8BE204,SHA256=AE17443462BA6CB0E11F8578845BB5DFD711C430D5009AED7A8FA48F5FD2E118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400992Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:50.243{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC142ED57BF45D2B8B9D441D9D88AC03,SHA256=16BE5628816D7CDEB0CA37092DF315FD3AF419507EC3530AD79AA8CF944C404A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400993Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:51.352{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B071DBE7B59DA4D644F901C46E5021,SHA256=ED64D6B99180817197B7C8B40E733160A75CE588A29AB927EA1E14D77F19F383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456135Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:51.646{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F353E296D32FAD2AAC7268C2D4CD5EC9,SHA256=2967AE9639FD9B1C244A581BB83622291CA43CDEF0F272BF9532F21F5C596359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456136Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:52.664{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B29DD750A34B252E2273F9FB574027,SHA256=6565C357AF3DA865347ED8C7B099F413F90B902DC3C32459075D4E1B595FDA5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400994Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:52.368{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04D9BA82A03BAB83F56CDCEE7D372F4,SHA256=0A3CF600F496575F245ADE4918B37FFB915B4E64BCA1806B71400EFD27A66E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456137Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:53.679{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1922EDDA3E1E912A761A884F36CF8839,SHA256=7D292933AB545D03F3BC007181B3CDB8B03F5B7670D2E914E6C4DE4DBBD7E592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400995Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:53.399{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77F1C3BE43D189A224F899E1F2D06EE,SHA256=A4E902247338B907C6924C81544F8E8BC5F987506E74223A2CAAF1A640D84190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456138Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:54.693{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18371B896A9ADFC13FA534352DA05F3A,SHA256=06CA5C9429E7AF5F4683EB201A465D3AC94B042A0F6E023B1DB901FF2E67AB74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400997Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:54.493{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524D8890986E21AB001D3F06B294BFB2,SHA256=CBCD43BFBCC3DFAFF18611E2E6F6F2A6B1B0832C96A5A76E26AE66D56D261B12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000400996Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:52.457{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54090-false10.0.1.12-8000- 23542300x8000000000000000400998Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:55.509{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6333942A5C7121B9BF2330BC071B308E,SHA256=00D12B6AB0836F8B1AC3D031B2B566F809F01011A4D9EE72F82AA6811F1106C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456139Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:55.708{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6894D2D6F0AAF1E3ECB75D9B0C7CE8,SHA256=78DBD6BA4AB1C90001D0181DDA24B09D938BE66E28DEE66E270683DD344297CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456140Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:56.722{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9135DB07D146EC2098AAA3358B9A78EE,SHA256=3D0EC85EFCD6CD12CE787E30E722C0F0B51A8DD38947DEFC17565D8D4348010F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000400999Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:56.509{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8171FF8D64A2270260F433C265DD7184,SHA256=E8891B08196C95E6379F5E2BF0EE6E4C0379930DDAB891D7840F9867CD6B9962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456141Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:57.738{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EDCB6213FED3546F2B8DA30AFFAC0E,SHA256=3D15A42940F0F0C07D544A782E51058CCF015F05C91CDAA9D07274E1C1B7141E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401000Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:57.509{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A38037801BC38F64B4D6B1B0B40B5B,SHA256=0519FA59DD66F04B17C0F33B700C39DD95CE3E9701B26D07BB5838F342895791,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456151Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:58.989{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C9E-60E3-850B-00000000D301}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456150Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:58.989{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456149Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:58.989{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456148Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:58.989{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456147Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:58.989{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456146Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:58.989{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0C9E-60E3-850B-00000000D301}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456145Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:58.989{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C9E-60E3-850B-00000000D301}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456144Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:58.990{D694AEB8-0C9E-60E3-850B-00000000D301}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456143Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:58.773{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD28C3F44738424BAC5E23C04E4DF8B0,SHA256=20EA8B28E86E2DD37512474265FE52085DF2A3FF5B176881562044964EE30C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401001Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:58.509{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D032FB5ACE1F932C4B6EC4ADFBD6A7,SHA256=F1132B74AD27A3C7324635DFD766D12DD779C988DE56E6FE9E855DF2E6CF44E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456142Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:54.490{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456161Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:59.789{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA2EF9DA04072356E9417669CE1575B,SHA256=BAB35DFD7867E8C581BB75FD92561BF97150490C1EF4B4D4AF3E74BD32034231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401002Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:59.509{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AC424D765A94A60D3DFE1E409030DF,SHA256=B6EC0F744B93C0ED5D1DA6840DA7CEAFADB381DE8C6AE09F501706C5A5E616A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456160Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:59.673{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0C9F-60E3-860B-00000000D301}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456159Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:59.673{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456158Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:59.673{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456157Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:59.673{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456156Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:59.673{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456155Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:59.673{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0C9F-60E3-860B-00000000D301}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456154Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:59.673{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0C9F-60E3-860B-00000000D301}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456153Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:59.673{D694AEB8-0C9F-60E3-860B-00000000D301}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001456152Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:43:59.142{D694AEB8-0C9E-60E3-850B-00000000D301}62804844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000401004Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:43:58.395{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54091-false10.0.1.12-8000- 23542300x8000000000000000401003Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:00.587{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E691858AF2FDBC5ECD9607DBFABFB2B,SHA256=4B68BC4E2ECC3407A0D72954121D910B2DDEF24FC8CB1600DC22D8383176DABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456172Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:00.819{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4195C4D70AD8BE6116E70B8374D06C50,SHA256=FB1FE5EA6F214BD2B0F9AB6782A460262A48ABC921F8F4BF7E1A5F89F379E2CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456171Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:00.341{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0CA0-60E3-870B-00000000D301}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456170Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:00.341{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456169Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:00.341{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456168Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:00.340{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456167Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:00.340{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456166Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:00.340{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0CA0-60E3-870B-00000000D301}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456165Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:00.340{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0CA0-60E3-870B-00000000D301}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456164Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:00.339{D694AEB8-0CA0-60E3-870B-00000000D301}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456163Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:00.009{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=864752EEBFA2BF54293C41590093A317,SHA256=3FBB55C626C6A93AEDA39C0BC646BF6062BEDEFB28D79B8CCEBFDF922E638D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456162Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:00.009{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6F25F172D0A030863F9BF442BF98037,SHA256=F5CAE1C8D8F0629351E619A2B188124AE895C471BE39850F4681408E7CB078D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456174Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:01.835{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F917B1C52432D7A340B6484161A2020C,SHA256=7E04B660686B48E7478976D1353739E04DA945F6BD74C2A4B721E81CED17FBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401005Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:01.618{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B66279A1CA5A5465216BFD557050C42,SHA256=DC2905E534B5821DE1300A13BA304BAB63928AA26DBC4B5A2507AD5653002174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456173Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:01.371{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=864752EEBFA2BF54293C41590093A317,SHA256=3FBB55C626C6A93AEDA39C0BC646BF6062BEDEFB28D79B8CCEBFDF922E638D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456184Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:02.869{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE4B132921E218D2CCEB9998A3E7662,SHA256=D569941DD0676C476E3695734B737D61EB8F3B09DC98F1CFC2AD3CC2AC86ADA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401006Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:02.618{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE56B63F37826708A91664B87BAD5BCD,SHA256=959283E2600443933E9C08091233BDFB23F858D84FDED6DF08E514D0713CC31A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456183Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:02.616{D694AEB8-0CA2-60E3-880B-00000000D301}55762584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456182Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:02.470{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0CA2-60E3-880B-00000000D301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456181Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:02.470{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456180Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:02.470{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456179Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:02.470{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456178Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:02.470{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0CA2-60E3-880B-00000000D301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456177Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:02.470{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456176Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:02.470{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0CA2-60E3-880B-00000000D301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456175Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:02.471{D694AEB8-0CA2-60E3-880B-00000000D301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456204Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.915{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D1B69D68D058D3D4AEB6FA4A5ADC19,SHA256=00AEC293F9C30D54394BD5DA0DED9B77BA6035EE9768BC13CF4AE95D220EDBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401007Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:03.618{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF250BB2BE48D6E92FADB97CD7198113,SHA256=D80F372AF8C05AE9C8522158147114372A72E6BBD6A7BA59268D0908FC18C9E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456203Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.736{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0CA3-60E3-8A0B-00000000D301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456202Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.734{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456201Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.734{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456200Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.734{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456199Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.734{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456198Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.733{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0CA3-60E3-8A0B-00000000D301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456197Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.733{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0CA3-60E3-8A0B-00000000D301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456196Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.732{D694AEB8-0CA3-60E3-8A0B-00000000D301}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456195Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.484{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D00C19726F551F947529557512E503C,SHA256=D6BAF815802952431676A03D6DA81A6DC10A0B9ECF11FADFDE35B21F44ADD303,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456194Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.269{D694AEB8-0CA3-60E3-890B-00000000D301}62646452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001456193Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:00.502{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001456192Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.116{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0CA3-60E3-890B-00000000D301}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456191Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.116{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456190Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.116{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456189Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.116{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456188Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.116{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0CA3-60E3-890B-00000000D301}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456187Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.116{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456186Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.116{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0CA3-60E3-890B-00000000D301}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456185Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.117{D694AEB8-0CA3-60E3-890B-00000000D301}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456215Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:04.919{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E40C9E5618121787A9DF72620BFE2B,SHA256=73EBE1D94E4C6711C917498020C252780451A01FFB578B45454DCB98AA3B7FF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401009Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:03.411{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54092-false10.0.1.12-8000- 23542300x8000000000000000401008Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:04.618{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F7C9E7AD72655FA269B9B7B3DAEA5E,SHA256=D3DBDEACD690990A8106F92140C84E1E6C2257C0765FE7FAB1BF99A46B3BA0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456214Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:04.740{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87841456C2D54A4E133D6276742BFF05,SHA256=5ABB4CE82F5344E8D84A8DAD3CB7AA23DAA81ADA1BC9AA9081C112A85BBAEE13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456213Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:04.641{D694AEB8-0CA4-60E3-8B0B-00000000D301}13165852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456212Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:04.414{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0CA4-60E3-8B0B-00000000D301}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456211Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:04.414{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456210Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:04.414{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456209Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:04.414{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456208Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:04.414{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456207Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:04.414{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0CA4-60E3-8B0B-00000000D301}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456206Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:04.414{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0CA4-60E3-8B0B-00000000D301}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456205Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:04.415{D694AEB8-0CA4-60E3-8B0B-00000000D301}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456218Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:05.937{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016E8F3454120AC9FE9E009A7B967878,SHA256=EA0251B928D726C4364FF2198A9A78ED95D6C2CFB13E2181412AD7C976FDF679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401010Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:05.618{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38FFD52B3DE20C9F409F5E5CFD991BF4,SHA256=9B8EFB60558C2BF1F6F0E08703EED59E1E78C8A507614F35A46C446859768206,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456217Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.461{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61121-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001456216Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:03.461{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61121-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001456219Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:06.955{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7098811E8EB56721117C91090DC52A08,SHA256=9C64EC304EB8BD45B3D48B9B16252AA152974D720D1316EFE0E1257E2F30ADC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401011Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:06.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01BDF36D588C2F0FB005B0AB9738331,SHA256=D77CA480FB426DA2610A4CAC28A727CDAD2211C484677219F9587858C559C3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456220Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:07.970{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4330E551E57C3EA9A78010B2CAA2FABD,SHA256=AB2B79D32D0C6E736C179E2AB74B2F2C61B2678BF0CE8D765C242139932CC773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401012Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:07.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9115586B502223C571411AA0F26CC94C,SHA256=BC219A4BF31FB7D9FF210994180C2757127E4384FFAF20DCC44E104F59065878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401013Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:08.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACE3A27E2D4E9693A3D373A28BF4BF4,SHA256=8510E4F1588216C85F7E20D922D6E6DC224978E2F4A50A7EAB6023848D68E1F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401014Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:09.649{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF736E45096ED8A7FE56347D678FB140,SHA256=6BD13F588714D27ED288B096D88B1CB5AA2A29E92E0163345371464387894752,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456222Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:06.480{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61122-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456221Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:09.134{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4631FA0D0959AA54CA5A1BDD0F500E7F,SHA256=36E70E539B081BA7F716794AE1C64C2C91B208676CD1FD51EF16B8CEC672BB53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401015Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:10.680{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248CB2ED0BE0A0F4BF2CB288E81725C7,SHA256=3119531DE159161C5FA959C00955D7CD99BC89549D327F95742057A33DA8BD61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456223Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:10.168{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B667BF1517EE063859009665E49F3DD6,SHA256=8650141160BB96BBBFF525B90245D9B162E6A1652FE920450B5E7A5537A6557C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401017Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:11.681{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545FE12AEA51C10E7B71687EA531F04F,SHA256=E65EAA71CA6ACC1711787D7737749FA30C5A06EB73610FF8FA10E6B04F6341EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456224Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:11.183{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2274AA4B5B26CC97C1F5C996229778,SHA256=50F0C6F3304612DDFC32803C8AC030DC7B0E89981632AE638E951B0030B0380B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401016Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:08.457{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54093-false10.0.1.12-8000- 23542300x8000000000000000401018Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:12.837{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D31B8FB827BEDD927C6874947B0E3F,SHA256=B0E5D35F1E4A6A9BD0681A48FB73D1FA38D88E250AC2B76E8EE9F71556F7A142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456225Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:12.198{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BC4AC296DFDACF2C590A8DEE7F925C,SHA256=B233328CF9E7648FBAAAAB9115E4F291EC07F589EDC7BFB38D500E9C17E12BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401019Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:13.837{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9037D2CA1D29A511A4B4B7E2CF82D22,SHA256=1B0DD65829DEC57E296865063924D8AB883B28EBA09A989D92CBA31662A20149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456226Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:13.213{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5B84947371F2CA618EB5D545DEDEB2,SHA256=3B75A3F0756D80BA3DA5AAB61E57A8C3F5078171C846D711A8F7E1B4F2135306,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456228Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:12.512{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456227Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:14.229{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6A1F568E7909E8318D766791F9A43D,SHA256=76AF2D1145D9917C11A9B939D04D1B5E1EEC17F02C4EA1E4D89C4174F6A63242,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401021Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:14.254{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54094-false10.0.1.12-8000- 23542300x8000000000000000401020Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:15.009{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E116083B2185E67BE85D0558CBBD9EAF,SHA256=2F70DEE586D9BCEDB8E181A3380075B1AA71F4E5204A4D8E40B6BAC3CCE4F2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456229Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:15.249{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D9FFED7481C8DF76EDF8AF0DAC6792,SHA256=4D0E2337D82FB3B49FAAB8FB86DE1747B2EA84E1C209F20D82EFA1BCED68D6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456230Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:16.263{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1DCD672E65C158871999BBEB98742E,SHA256=22A543DB1F517C786BD572921954A9C71B5E7737A67E2E9C4860DF1BEE8BF36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401022Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:16.087{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DD31FACBEEFD108F7271266ED5E4EE,SHA256=6C63E62452F7E1F17DEF6002B170418C629E973F536A38CF4E8964B2A1C4D2B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456231Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:17.294{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85C74D85A27F8A00738BB79E398E540,SHA256=ADD35879C9825206D16B02EA5A68FC1A90E1BDD1BB7E87D00588B4A9BD6529C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401023Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:17.102{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFC56FAAD262FD468B9DCD45CE0155D,SHA256=3BD8884C6A9F81EEC0A44C89E59712B27AADE5D3334C36D2055FC354EE4CA4FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:18.118{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D94EAF5D22A882F9AC587721D43C5B,SHA256=3B2B558CA4A627A826BF951A80D399AE8261BE75071CC73CCCF4F62CAD475952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456232Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:18.308{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB02A34CC181E1233FA40EB9F5CDA84,SHA256=0B01E61173DFEC6EF9C9E422CFE31A848A0DB43E563D2F0F630BA60B0B9AE760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:19.118{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA181D7078DCEDDF11331178E14B6400,SHA256=2815A155D6EC8F19E282BD1744B44B09083675139DC6F9AE0A6DDE2127E01576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456233Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:19.325{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E05720EA210623240940D07C1A4DECAC,SHA256=4A51B03CB019491E98D248E48F4B9BCFCC488FD682D3586ADED774D5165E6AFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456235Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:17.523{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456234Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:20.343{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D310789E9D0724DFFEB69EEC7ED231C1,SHA256=318D3793FB76E31B6CC6D5E2C775C503BBAD75F44DF5549C9D4DED4DA07FF7B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:20.134{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7FE27AA34F8739956F635973131815,SHA256=1672BC5532C16524A31338DCA3CCAFE0D2CA11A09664AA0832F26313609B16F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456236Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:21.373{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D653CCB141445AE095EB7BCB88C7163C,SHA256=67B27C44AC401B85406B6F91633DAF72CAB10FD491F547DA56182DFD08B3F22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:21.149{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0CC63513B058822B1A6CF3C5EACDF6,SHA256=CF19CC8915469D40E91180FEBC73992004BD68985103BEB2B462C6C703F4B7F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456237Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:22.387{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB9DDE732B51A4E5584B88868D2AAA9,SHA256=B821C5ED9F22CA343CB62C56A1CC262225DEAE216886EF3195937C26E5EFD6AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:22.165{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F00453E710FFB0F14E4F4347783476,SHA256=2A5318E2DCC79E27239683E77DC90A92B9B8535DD5B8669D41E2185DE0CB15CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:20.270{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54095-false10.0.1.12-8000- 23542300x8000000000000000401030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:23.165{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C3ED752BFF060AB5F6AEA1E9D0F7C9,SHA256=F7525AC2061EE71D52E262E8D7BE0A0FCFAFECF666DB18FABED9D153CC21B25B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456238Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:23.402{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C053B23E4C113995A5E8ACBA8A3195C1,SHA256=68EAC5B56C1DBC5674FD979AB1D9274DCC6D4F386D26D18105CB18F4756D0BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:24.165{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECDFEE2B014F15E7F8094F9971A947C,SHA256=12A7CC8A3C6C929B477FDE12D4EDF6EB62B43AFE9AAFA1DA3F42F5C45AA5A7CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456239Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:24.418{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7882A9C37EDE51504A3A8409DE95EC22,SHA256=A7DF0173686C72D367D4BAFF961668BD418D88C65DB6504FAADCE4F304C203A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456241Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:23.516{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456240Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:25.468{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916C31CCDAD4D2686341528D28D8701D,SHA256=ACB26EF66A491AC7DBCAE334E6CDC62B967102AD4F15F867261957BAAC37F0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:25.352{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DB7136AEDD2741024D55F479C59E08,SHA256=9E13053A7BE223ADFBDE9643E7F90BF85533BDC40DC8599645A27B9C0ECBB178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:26.399{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=98E86C83708A92B88DFA332AF83A2889,SHA256=5C98B37736F3F809287921BA7787B3826634AEDF1AD55B22DB7D64AC0CC08992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:26.368{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEBE6209725D8CB91055500B8E892CD,SHA256=CB3EF0C6527B19A0ADF7056274EED348AB775921364749B5B2E767484505F724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456271Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.715{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEFB44C2792CD9BD9094C5254955AAF,SHA256=80BF0E037C8020798AFE99109D7465D9AF200A0628C9F441B1576FA5B4F8A318,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456270Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.016{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456269Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.016{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456268Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.016{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456267Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.016{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456266Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.016{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456265Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456264Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456263Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456262Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456261Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456260Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456259Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456258Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456257Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456256Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456255Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456254Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456253Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456252Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456251Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456250Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.015{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456249Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.014{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456248Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.014{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456247Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.014{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456246Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.014{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456245Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.014{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456244Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.014{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456243Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.014{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456242Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:26.014{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001456272Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:27.749{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FADB0FC6B99319989A34E8E8EE41A63,SHA256=38B2E7BDDD2D48D1EF1110B23A26AD8E9F87D5D8EC9BF6837223546D7BB0226C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:27.587{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA4C2EEEDCB5EF779485D8278B45D70,SHA256=90E2FE0B176490BA47AEC78CC1DF91FEA88B16A5C1759A0FB3913540F10FB70F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:26.255{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54096-false10.0.1.12-8000- 23542300x80000000000000001456273Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:28.763{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517654390A4B15EAE43FDD8D4D98961A,SHA256=84C16E65D97736C165F9D117753E6117D8E402AA339D72C71F1FEB30C60B7366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:28.649{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F6FCFAFAC3DA3C83336375D47B110C,SHA256=628F1F5453E009E2DBF8E1A2F9A94A72908F09B16AF5E090A17158A8750E78B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456274Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:29.793{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D5E13DE40B5CBA023EE6D4DD411365,SHA256=F56CE8D3436F5920137BD64AB891C309478C499FFD6AEDAE617BB783556058E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:29.962{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A114B586FA16AA0736789B9BE9C8F004,SHA256=29FF0AD28401D4741CBD3D6A2D73E198885733B9FA31BF3006F4406D8D4C1715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:29.962{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5641C98C8153070FBF3E7C834A0F0006,SHA256=92860C85F8227CAF6342A2CAFA2D49AA3EB1B00C1AC645F9DBD50417D9F9B98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:29.665{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD2527DBD2F1DDBE1EE1962C91D7E5D,SHA256=A12F56E0FAD756B7ACA74318F02839218F24C2AAC408EBD767AC1C84239C2720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456276Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:30.845{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456275Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:30.810{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5059914E8E6B81E4E7204AFD327640,SHA256=C2656CB1490259A5322E39150237D66DAE8FABCD0476D90FBFD92CC18A0960CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:28.899{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-55329-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000401041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:30.665{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3C1C4B19C438223B5AD5F99CF9589E,SHA256=64820F20769ADD562D19081BD8748053D7259E6FB759524CA252C4A8E972F0F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456278Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:31.860{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D100B38F10BC99C526B80CB8FE58A86,SHA256=A5A6836FD18777093C8F1234CCCD4B87B9A9F7FD365F4817F18C1D9E695C715C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456277Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:29.493{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000401044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:31.665{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E700FFF61C5A0E4824AFE7124BE06DAE,SHA256=8E6A6AC437DC5316875DA84FBE310F6B47CC6E7AA3BFD3BAA7C63EF6C1B035D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:31.493{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456280Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:30.276{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001456279Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:32.875{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84F8B15418AC42FE2AA2CF58030FC0F,SHA256=F9A54298007FE4AE88D86A0C3A45FF80609B44C764722C83ED36DB8B809C99E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:32.665{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F8D79DFF8AD4EBC632C81E3AA82EF67,SHA256=CA5D7E858947CEFBDFBDB61FCBC055B3D88AC1B874C923509377AFD801D0D825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456281Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:33.890{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3159AC6B09F81312D4D304D49B1BC37A,SHA256=1A38F156BA9D8416F3EC237D686FC0E9E39ADB04864F7988EBF13BE90A9D8952,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:32.286{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54098-false10.0.1.12-8000- 354300x8000000000000000401047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:31.692{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54097-false10.0.1.12-8089- 23542300x8000000000000000401046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:33.665{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1377CE26B4B786037BE437433D7699,SHA256=1514C5D61827DE58D97685974514859719751134A05D760F2235D9978EF64488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:34.908{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FDCB5FC1A565A7A40125618D444D1F,SHA256=0A2E038EBBD7B8422A1D9C3182512210A48A71DEC2D05A8E91B0D841BA4B612C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.680{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E30CEA4B6A7F7B9290B4D38902399F,SHA256=9833F354F5E9218AE2D266779F2E1088BD7A95B0BFE857D3834479CFEEF43583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:34.074{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=05F06E3D292EC83C5FCC987E2C06EFAC,SHA256=265111A8A4ABFC46ABC37CE727EF14AF00CEA01A54CB956326DD7E05966E867F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.540{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0CC2-60E3-F40A-00000000D401}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.540{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0CC2-60E3-F40A-00000000D401}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.540{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0CC2-60E3-F40A-00000000D401}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:34.541{7F1C7D0B-0CC2-60E3-F40A-00000000D401}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:35.925{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB7E07FF3F6381738743A67D2E40BDD5,SHA256=5FC765F6B29C29FEFE61126780E503C248AD8CA998C4FF622D66CF2072363D14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.790{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0CC3-60E3-F60A-00000000D401}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.790{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.790{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.790{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.790{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.790{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.790{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.790{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.790{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.790{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.790{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0CC3-60E3-F60A-00000000D401}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.790{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0CC3-60E3-F60A-00000000D401}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.792{7F1C7D0B-0CC3-60E3-F60A-00000000D401}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.681{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530201F4E5F0CDAB776DB27B9E9203E9,SHA256=C46AA2B0C678506ACB10A8BDAEE8FB91D4E2E5043109DD3EADCF2AA48E614344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.681{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D04653FA37B00E6E316FFEB11C75BD3C,SHA256=DAAEDB8B285148B21875C593C0017F59A5606C8436716B6C625408A8AA99DAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.681{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A114B586FA16AA0736789B9BE9C8F004,SHA256=29FF0AD28401D4741CBD3D6A2D73E198885733B9FA31BF3006F4406D8D4C1715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.321{7F1C7D0B-0CC3-60E3-F50A-00000000D401}35002576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.165{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0CC3-60E3-F50A-00000000D401}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401072Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401071Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401070Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401069Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401068Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401067Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401066Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401065Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.165{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0CC3-60E3-F50A-00000000D401}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401064Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.165{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0CC3-60E3-F50A-00000000D401}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401063Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:35.166{7F1C7D0B-0CC3-60E3-F50A-00000000D401}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:36.884{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D04653FA37B00E6E316FFEB11C75BD3C,SHA256=DAAEDB8B285148B21875C593C0017F59A5606C8436716B6C625408A8AA99DAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:36.790{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A4D7DABD07AAA157C6F5791A3D6A434,SHA256=1A2A3B1D3252B50103011AEA403700F51246D5DEBD09B17B8358EBEC3B0EF981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:36.940{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE35B05BDAF80B537BAF6D07A677F33,SHA256=504EEEAD46710D9B57A3940B14F8334ED7114263DCBA7DF34258D35634DD85EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:37.805{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F039A3CC46FC428ED5E079400D712F20,SHA256=FEC3913F7EACD40BCDA8885287DE477DA16734BBE52DFF19924B5390AB8740C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:37.954{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5927F126725A04C89E72DB2AC3501028,SHA256=285B82953856FA9CAD9AC53BDD40595ECE23877ED0DBB44A366E404A63731558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:38.837{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F711A742AAEBE6E17E119C349507D15,SHA256=F97118AC206AB98634A23BB25EE60ECEB2A34EF354861A8AA8206BA7FE880C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:38.984{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3A61F8A16CD8664B4C0E3322624B7F,SHA256=C7B75570F1917CEB7AD0FA9B0880FFDF231C7EAD9044D56E13DCADBC8C3C01A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:35.534{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000401123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.837{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0CC7-60E3-F80A-00000000D401}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.837{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.837{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.837{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.837{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.837{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.837{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.837{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.837{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401114Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.837{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401113Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.837{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0CC7-60E3-F80A-00000000D401}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401112Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.837{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0CC7-60E3-F80A-00000000D401}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401111Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.837{7F1C7D0B-0CC7-60E3-F80A-00000000D401}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000401110Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.352{7F1C7D0B-0CC7-60E3-F70A-00000000D401}34163220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401109Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.165{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0CC7-60E3-F70A-00000000D401}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401108Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401107Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401106Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401105Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.165{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0CC7-60E3-F70A-00000000D401}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.165{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0CC7-60E3-F70A-00000000D401}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:39.166{7F1C7D0B-0CC7-60E3-F70A-00000000D401}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000401140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0CC8-60E3-F90A-00000000D401}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0CC8-60E3-F90A-00000000D401}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0CC8-60E3-F90A-00000000D401}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.355{7F1C7D0B-0CC8-60E3-F90A-00000000D401}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24F75469A24922C0C447D608537579C7,SHA256=71A2ABB1BB1FF38239EEB8BBF1D0ED67F3A7B4FDD764B7D95F7B2CBFABFA41FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.352{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BA6E0FD83E2FBF30158DC8C7F05631,SHA256=757B4EAF77A93B2D3458F55DB9871F1ACFDB0D8866ADDB519145E0CBE14AAE61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:38.239{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54099-false10.0.1.12-8000- 10341000x8000000000000000401124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:40.009{7F1C7D0B-0CC7-60E3-F80A-00000000D401}33802104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001456289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:40.005{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8288E886A1F2FE74F954CB0F2615E942,SHA256=2AEBEF4A87DA79F0FA26E5C94D52E027F400D546572E118A330C3F50C3D38264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.509{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=905849F95330D115CA4C788CA3CC1773,SHA256=9635A873EACCE916BB162E533907DAC737C55032B00754B5EFF2816E8AE10E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.493{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179255C8B560BA6FF0A987E0628281E2,SHA256=D363AA6C939200241C24962B5CE7C2D9DBE8E8B1DBF1D002D96140452D47ED19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.212{7F1C7D0B-0CC9-60E3-FA0A-00000000D401}16242156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001456290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:41.020{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC84B808228BC15BB47DA596CEE351F,SHA256=7F31756A9F9CD37A2C5F55EF11808C2B6FE6D912C0387BA70FB790FF5772AF6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.024{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0CC9-60E3-FA0A-00000000D401}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.024{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.024{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.024{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.024{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.024{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.024{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.024{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.024{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.024{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.024{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0CC9-60E3-FA0A-00000000D401}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.024{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0CC9-60E3-FA0A-00000000D401}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:41.025{7F1C7D0B-0CC9-60E3-FA0A-00000000D401}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:42.243{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDF0DBF16C02642C0C7B666B13D48C8,SHA256=BCF23DC5AA9732F7503E34227026641E531C545BB87C9AFAF480A011A7D7AD80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:42.050{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B8E96B7F43D866CA8B31A10B36F598,SHA256=50E9356F06DF813A94D50F6652AF0FFF760C1ECC4B46911423546F26C626B5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:43.243{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A962C133419924CA32755ABDE7CD87,SHA256=65B5EEB447161F8BD613664A7AFF7838A22B79DDD63D09BF8139C82678055EC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:40.548{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:43.065{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4BA5D796B77DD51177107E2676175F,SHA256=E217590A28FD357AF79B6B5E6DA5FEF733D7C5ABAE753892AF265D202B187EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:44.244{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B26ABF165376DF2C7F30F3B32EFD389,SHA256=E3FB222ABC3889E33AD4072DF5AE5B60702822A42349ED41B1BFFE41F5B67421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:44.079{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C695BE71D78E8CB9C2D06102FA13A2EE,SHA256=370878F85E99D298C0E2A71E68B36E4A204017EEAE6B5BBBCFD3DB10BF86EF5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:43.458{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54100-false10.0.1.12-8000- 23542300x8000000000000000401160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:45.257{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9ADDC1EECE78A6FD1D778FB9111F57A,SHA256=326CC508D051EDD09C943B71F71D3A29B71CDA5795F17E0D22A656144FC33232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:45.096{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA651E028B68F68C526BC1A4D8F5ED38,SHA256=7B6CE40DE720A28C3E854B231315C06DC07BA927ED129B9DB8852A3A01B24DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:46.114{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B9DE351C024E3B01879D3B2581B1F9,SHA256=29C71052627BC400238A844BBFBB89054BC41DD6A17E4040F5C4877BA8EDB011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:46.258{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D220617DC1FCF6A25BFD4003EC256E8C,SHA256=B207C677C73F890868A9F442D817E23EBCBAEAF77AFAF94E6280D8B7F687F472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:47.305{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99A697533CCD000BF6FE3A3EC96BAE6,SHA256=B3186442010CAB7900C054DEB0DCFDCC5157B824FF84D4A73398A189F94CC1D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:47.144{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4C90049EE3A645E2DA4E8B2EEFF7BA,SHA256=DFC0B8A0475EC26B401736F08EBCA4F55617EE099FF031C92FBF93F0D2C61601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:48.383{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B68F3790C94F8AB30C79837C4A7676,SHA256=31B7F1274F2621130E03C4E3524ABF0D17500800708DB255CBAF71C1BA3116ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:45.561{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:48.174{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2B1C715AB45DD81BFB922AFB55685D,SHA256=E5495B8042B4F5E365058D69D14426536ED677327B7CB4E9DD52A538F8F56406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:49.399{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B6FA4C35FB1BABB796E83816EDF111,SHA256=FC21A4C7A436DAD30BB525781BA2756FCB6354579AEF7AFF14E525B03509E66C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:49.192{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D31C6642A1DFB7102A4AABE0EF22A66,SHA256=275E2BFD0CAC2FA61AE62BD2088EF694B8D0C21C5D946E37282338667D3EFC55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:49.301{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54101-false10.0.1.12-8000- 23542300x8000000000000000401166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:50.492{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6166712977C8006F120B20EE68E819,SHA256=2974B4CE2D5BAE6816A4779C199F00742A97C0E3E4D0852D6652B357B539738D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:50.210{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6B38A8987A7E7A4562B81EC185BEEB,SHA256=E06B17407E97C22E761813E5CDB03A2A01963E46E75F1391EE8E24F357CDFEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:51.633{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BA4C88FB94FD5C79352D7C30EA238B,SHA256=257C684F4E030D0FD02821C88BB9059A352681E31DAFCF393A00C29809C9B265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:51.240{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5570FFD26967DF823EDBE2C42498E5EC,SHA256=19D6C36FA3FC072C9388E25B357CA85180EF0C7A6B025BB974446D986F6FD0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:52.727{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C82D8BF42E7839722EF1A2F18C3CB74,SHA256=488129EF48A0E0D971FCAE001180C32F206043F164E5E13DE2FD39C962E8BC5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:52.271{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95854AE5D23A8375F0F55E1C995DEC3C,SHA256=6DC6C2310A71EFF13C94030C6A2DA88AF3982DA4CCC0D3EAC46B08039AB916ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:53.727{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC5B8E416E70455D5E916515D9FA84A,SHA256=E12A47894127D7760595188FA6FEC9DE013F14C3131B37FB188BDC36708B2E8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:51.570{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:53.307{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA3354D99EB0858F07A370E030368E5,SHA256=9FD97EFAD06726037FC3D09559DCB594BD4B6694BE68705ACDC757DA6F815281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:54.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A8915515BA0D0BD4A07652FA42D8D0,SHA256=37BFA8C6D06A3A02A912E1DA46F7A43D664CF8AEE3BF503409DF1F51036E48CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:54.321{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9747B65524104070E305788CA90449C,SHA256=0C2A53B4D3F6F0F09C165845F85999A10CA3CB9C512DAAC5430A3F3BEBB080BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:55.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275566A91EF64D5B173CA71AE79DBFFD,SHA256=34B4ED15157013139B83CC5B4ADCA1F537442B546B3A1366419B14018A778502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:55.335{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DAFDC1A583145590B45BD47E2149DB,SHA256=1F1025105AFFC520BA284CA03DB8EEA13E47698404C56B3BB5529B1E2E06C703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:56.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384226141CD8FE1FE52D378143AA2717,SHA256=069400A68CFA26FE849AEA4C0080AA19778C33BEA0AA1AE381EC936F541B0D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:56.366{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E7DFD667EF8F68053CF0614433A853,SHA256=546B5857119F5F608B14A38A99CB95822E058446A81DC2AC7ED51B633BDE7886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:57.383{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD25020AC4890B591A65FCB8A2E7491,SHA256=79A4D1A60EE4E952C23EA9408B37AADFF5BD66F3241EAAFB66019AC1D1FFED48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:55.333{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54102-false10.0.1.12-8000- 23542300x8000000000000000401174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:57.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8206D4A5C321707327DCE8503D18370,SHA256=2123A82CB19094DDB31EF3CE487BC05DAF1502C5C9BDA7300355707E7B312678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:58.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1FD62BB48CEB9F062716283BC27270,SHA256=23FC036CDA23B9E2DA89D2CEE6D61CE9C69DD263D9A68D68076D20097B00D15B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:58.901{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0CDA-60E3-8C0B-00000000D301}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:58.901{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:58.901{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:58.901{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:58.901{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:58.901{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0CDA-60E3-8C0B-00000000D301}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:58.901{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0CDA-60E3-8C0B-00000000D301}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:58.902{D694AEB8-0CDA-60E3-8C0B-00000000D301}5408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:58.402{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6F13CF30B08D18096AC3702A1E63EF,SHA256=28B73FFFC9B9E6D8DE0A583D1D3C7AC82F27DADC52A9CF3EF1DC943446617688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:44:59.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42515F7E4D3E4F682AC11C4D683E9F0,SHA256=7A13E74C9E3661EBE63E2412105723645287A4AB5D348DCB429272ABC982C66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:59.931{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02AE8F982FC25A1260CD3942ECB0A68A,SHA256=59CFD0A790A17AEA679ABE51141CC4C1CEA9A14B55AD6218D2EE0408028AA707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:59.931{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E02910EF3455270D50DEA1EC503CF8FE,SHA256=F6AF7F0A067BA90F8D8EBFDAE22CB5D0F65C77C55E7E7CBA55F9346935263A4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:57.564{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001456327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:59.516{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0CDB-60E3-8D0B-00000000D301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:59.516{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:59.516{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:59.516{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:59.516{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:59.516{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0CDB-60E3-8D0B-00000000D301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:59.516{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0CDB-60E3-8D0B-00000000D301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:59.517{D694AEB8-0CDB-60E3-8D0B-00000000D301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:44:59.416{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BADE060B34F9C7FFE52A5D47C1CC5A,SHA256=B5FCD969B060D873B91D549D344819CB758DFF0F6CF25D7C61B19485AC261806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401178Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:00.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DE28C7F89E04491A31730756F61FF2,SHA256=A3FD36E27BEBEFE00AC2324870B4975D5048BCAA38A24F7F826C118AB727A42B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:00.462{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1286C50FF61D65A71B0CBCEE31A31BB6,SHA256=B905C05CBFCEE3E21C59BDB4C4A9072D8601FCCD2B11092C7DBA4C9F1E4E9391,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:00.284{D694AEB8-0CDC-60E3-8E0B-00000000D301}34484772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:00.115{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0CDC-60E3-8E0B-00000000D301}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:00.115{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:00.115{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:00.115{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:00.115{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:00.115{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0CDC-60E3-8E0B-00000000D301}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:00.115{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0CDC-60E3-8E0B-00000000D301}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:00.116{D694AEB8-0CDC-60E3-8E0B-00000000D301}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401179Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:01.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C469D2EA4A6B09A2CAE1ECA7E43103,SHA256=5B0EA5EEEEAE13610A1DF36942975CBD4558D2D1ED6A8B409AAEEB832235F672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:01.479{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65B217C4DBCF93307AB39B56C906A3A,SHA256=3249A3D3843DE164EC41F7BD67EA8BB84D24C4939ADC75AD0CBDB20754E09D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:01.116{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02AE8F982FC25A1260CD3942ECB0A68A,SHA256=59CFD0A790A17AEA679ABE51141CC4C1CEA9A14B55AD6218D2EE0408028AA707,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401181Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:01.270{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54103-false10.0.1.12-8000- 23542300x8000000000000000401180Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:02.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EE184BDBBB7C5E89A3A082FECC2C4A,SHA256=38D297C63AF2FB7C317C4ABCF4C9942AD5CD2DB0FFB8F26E4B93396BEE90C5CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:02.630{D694AEB8-0CDE-60E3-8F0B-00000000D301}35646516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001456351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:02.499{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1E4CFEEEA265D1BC34756743510B81,SHA256=2FAAA3D2202CA926665CAAFF23ED917E828F756933404B953D734CAAF07ACF3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:02.481{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0CDE-60E3-8F0B-00000000D301}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:02.479{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:02.479{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:02.479{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:02.479{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:02.478{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0CDE-60E3-8F0B-00000000D301}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:02.478{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0CDE-60E3-8F0B-00000000D301}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:02.477{D694AEB8-0CDE-60E3-8F0B-00000000D301}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401182Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:03.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F387BC582D1E7BF695FA1E29689D10,SHA256=C5F9A13619D44472D12C8CCEFA6F2351790D2AD2ADC7FEDF6451DEFDCA55DC97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.883{D694AEB8-0CDF-60E3-910B-00000000D301}41201628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.730{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0CDF-60E3-910B-00000000D301}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.730{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.730{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.730{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.730{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.730{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0CDF-60E3-910B-00000000D301}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.730{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0CDF-60E3-910B-00000000D301}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.732{D694AEB8-0CDF-60E3-910B-00000000D301}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.499{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3E4D7E3BF6F665508B015C317552E4,SHA256=99039134CE9699027A7007F23FFC9FBA82B71F5127721C7766E2695D1E62DA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.481{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=782692031F50AFDA57619BDABC8F4E57,SHA256=2CE34571FCDC87B284B4ACADB2285E25C822223F35D33E9AC45BF8F39C3A6BF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.315{D694AEB8-0CDF-60E3-900B-00000000D301}60724976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.162{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0CDF-60E3-900B-00000000D301}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.162{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.162{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.162{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.162{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.162{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0CDF-60E3-900B-00000000D301}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.162{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0CDF-60E3-900B-00000000D301}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.163{D694AEB8-0CDF-60E3-900B-00000000D301}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001456383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:02.577{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:04.745{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AA5AF49BF1C70D88CCE0AFC221BB97D,SHA256=9D77E10A53FE9571DE7416203F182D707CC3FDE0CEE5C2313DD2447E0BD05DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:04.514{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F022520B687560A4F4C52D83B21A5085,SHA256=E05B799A8C263F03D668D6669690FACA165E253817D17BADD3F25C84D15CCA60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401186Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:03.712{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-46550-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000401185Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:04.774{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78504C1C6E7E03E370D43D4783DB5B36,SHA256=72AD248D1F08FB8DC0F119C59822CF89F1E377A467FA221828CC1FD42C8A8794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401184Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:04.774{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F332E7858C06DA1AADEE3D04FFAF9236,SHA256=7DADB7216D8225D775B67E10536139675E3E0FAFA0859A2E796959B29DBD3886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401183Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:04.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971A49093FFBF5978FDBE4A8CEFBB393,SHA256=59C67EE5995ABB7F139A27025AE0387B33186DAFE986FF80EDD599F1C8E82E96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:04.414{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0CE0-60E3-920B-00000000D301}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:04.414{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:04.414{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:04.414{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:04.414{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:04.414{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0CE0-60E3-920B-00000000D301}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:04.414{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0CE0-60E3-920B-00000000D301}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:04.415{D694AEB8-0CE0-60E3-920B-00000000D301}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401187Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:05.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39813F8C2BDC7B5C5BA96DBAA93C7F73,SHA256=617761C12A58C08807018FBB712862FF1EA44BDB80740E95A1C4E6F2D99FFBA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.477{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61134-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001456385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:03.477{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61134-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001456384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:05.544{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46DDA36D00D2EB4FEB20804A9FF771E,SHA256=867DBF3304747859EF94FA21785B8079D5E6A8324E35C169F957AE47D4965E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:06.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ABD2ED1C5EA5109F33839AF0BA9433F,SHA256=FAD73E5EF0C61F143699664CEC26E77F23826A4F3761F9248784B8ABDD4C31CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:06.559{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4B8B223814A06102F0E977879FD911,SHA256=560EDBB22763D372676A05E4F021A7147BA6270086757C81374B6028168471B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:07.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A153E3B1B13AD496FEB6C70CA265B24,SHA256=E947221DDC19AD21525A1C84E1A06F2F4FEC7F6D3DCCA68B4F21ECF78B79D466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:07.576{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875855F71F05220941EF3CF433DA2FA9,SHA256=084AB10EABAB4147EB219A7844ADDCBE833A98C7008BCE669A1BBD30B04B3970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:08.595{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA6A751A171506E6EE2D83457EF33DD,SHA256=A7C40661F98F7CC91EAD467AEA1CD05718E00F5C088387A2733D3514627B7C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:08.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCAC7AB3985835F629E7B23213E0E3F,SHA256=D2B396D6B91B5884906A9FFECD60F5D1696636A6E4E92322927191BBA17FD434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:09.595{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF78E8DA15E9C6546EBC1BF924E87F73,SHA256=5B67962AB88EFF498B470901E57602747CB8FB7187BB79305EA9092BED6CBF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:09.774{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9F33EBA16F21E940B6D11D543F865C,SHA256=B2C9BF74AB5377B2B933A36BEF2E9A098B818FEB11AF7A6182B52DEA62ED8C27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:07.255{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54104-false10.0.1.12-8000- 23542300x8000000000000000401193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:10.774{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1FED6CCE940C97BA1F15C88FD93A38,SHA256=8B95A3615204B1391FB5FDFF06D61B317C2A3384A4670046C8673C2A7D0DE095,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:08.573{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:10.609{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C3C785FB180D6CFDA24F63D3512968,SHA256=0272E36CF5B47AFAA9FDB1E1979081613DD99B0BAD49D5973CE26BC9F5C78597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:11.836{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC9C8FF7A823A001331CAE39C5F4CD4,SHA256=FC97C9DD003EEC20EBD2D1651F57029282A8203B24F04888C65414B5E97B0BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:11.655{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C083E72EF2FE8EE5DB092926C710EF8A,SHA256=251733A1CA5C5A9CD1A301C7DEC79D12D3F7A6CD79C0295458D743E06EB8E3F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:12.693{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF59E0A295AAF386EF8B8C04CEDCD19,SHA256=35008F162F0596F5E7D3E2C3EF24BB68B5E4BDBC4AEEF490E62C867E357EEDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:12.836{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD7EA975EFF0F41A23DC003DDC0FE0A,SHA256=2E7C237AAD95920B841F0E3DBB2FD47D8AB8607A54C5204722209F3B6FEA2A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:13.722{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B0B4B11006C6927C13BE5B876EF196,SHA256=A144094C9DB15809F21D1E0A5C6C2E306FD24811BE219CB8F33B2F366CDC7B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:13.883{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2B32569D45838659F8D0DE48B874D4,SHA256=BA4FC76A0DC8C189BCAE04014688A6A57A6AA996475BA44FF2BFDD508586D25B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:12.458{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54105-false10.0.1.12-8000- 23542300x80000000000000001456396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:14.737{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB521A8E513649405E875742525848FE,SHA256=3A71BF6E5D35E54E7EF831CEB8E6A2AE7381494A18AD7CA400AC1A627E92ADB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:14.899{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36FE4883AE5059602E98CB50ECD5FA6,SHA256=83D3EA13EE59F27FC3C0BE01FBCCD2408963ADD7DAECC0EF77DF3D69E1C6B772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:15.899{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD2106D1B65E52C443F284CEDE39D79,SHA256=9B031F64D40D9A6326274C3C82A3F5617ED6A06436481F42716F5B3A0174DDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:15.737{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8525F133CDD646E8953DF3FC7FF0C4F1,SHA256=2962C1E7BC22038B97D472A49AB76049F7656C253D2C8BEC2A9B080BC8DEF8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:16.930{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF950BF980536EB00EF5C4788A07DB1,SHA256=5919C46A527DB000E7C9AE5846ABE022214FE95246BA5D6980FCA5E461066D66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:14.614{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:16.768{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9B9E62133C934361A6AFEBABA15DAB,SHA256=5C097EC6CC250E5A2D884648CB2AD06C2B387AF0C28609E9FF11743BCEBA8C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:17.930{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3807675C34D57E5F199E5D3510AEF261,SHA256=790C33CBB4A06DD01C2396CEA48B2B1665D348D25D90E9C27ECC51E03B8A016B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:17.787{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58215971F9275725B9F6E61557B8843,SHA256=8F9F960F97DFFA136CDB2E106B99FC388235B3B5F9296EC45EB6971791A01851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:18.930{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F76C5EB023A818B37197227D9FF195,SHA256=2E0478C972692D75C6E76C7AECB6B23091C604EFB002D0306329E6D93F399A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:18.801{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20BFBDCA2A59A864379D278B75A3A28,SHA256=F42108B23043387890C5EE1B1214F0BFF0F7543F932EA7CA0CBEC7AC7F16B7D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:19.961{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8E7496021F28BF7E03845C2C5F0966,SHA256=25259B84B494C02904C61D16513B49A26BE4DBE3108F531A4FAE76A13258B226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:19.815{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D44C9E0AB45947CCF722B4E9239670,SHA256=B8844351158ADADB64C0CDFAAEAFF649FC82C81C5958271E90C8908A95178A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:20.961{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE25C1228D033CD2C13D31CB0931DF92,SHA256=EDFFFCEC9560A543A77EC8C800E9CBA5C0FA6F79ED1E6974B80C9FA5F3A33725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:20.830{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A388BD431D14372FEEE96B29AE1AE54F,SHA256=0AE7BD94FBF290A1CBE0B0458AD7D64A7CBB822E9DC177E20C121DB8387A29A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:18.458{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54106-false10.0.1.12-8000- 23542300x8000000000000000401206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:21.992{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515109825F89D71528834549D39DEC22,SHA256=4AFFBE6E71A2B44CE8296050BCEF7DF56346ADEA4E488E476FF72DCAB4969961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:21.844{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18703246CDBD44302F4A7A13BDDEE4CC,SHA256=78A71E311B4C3CE8C4973F2D114B7A3A4B7F9EDF0B330ABC07114C61178B7F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:22.865{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B9C5F6C43A802A2D40B775BC7AFFC4,SHA256=620F4ADCCC7C56BE24C519C2089247C8B0871D11D8AC3FDE07F05348A39BC6CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:23.879{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7B1C6BF7C4FD902BF984BBE55B258F,SHA256=7B6DB2FB0A75871047FBBE0001154314C170C26633904BE609012E2F6B98301D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:23.008{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D666E07E2B74DACD9256E5130B3A38,SHA256=17EB13921203D2D2322641F3E4C4F05B75B54D6AE1358D8A1D158078A767E097,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:20.611{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:24.909{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6991C8920F1A2BD696129090A433E4C6,SHA256=2F313BFDB7765959AB5A4E38B38AF0A531ECC35B8C840ACD92B72CA19B81FF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:24.008{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F23577A5E46C4EB55459B9FB2C69F92,SHA256=25C8942005834A34B0BDE7CFB970BB37F89E5D5A25A464AA60A5ED951DE6DB4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:25.939{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70EAE47A1D0D2E358D490AB075167FA0,SHA256=DDCDA4AA80CCE4E309884D09B79E7F8A8E1CE85699A960FECFC66BC62EC889E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:24.286{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54107-false10.0.1.12-8000- 23542300x8000000000000000401209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:25.180{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECFFF3B3E2F254032A865BD6A1601F7,SHA256=F67559970AB88A84758A56CAA55AA21D891F097CDFBB04C29A559D654E4511AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:26.955{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E385D702EE9AA511706AB478B3D96A57,SHA256=56E31220179EC6AD913C6A2311DBFEA564B17FBF8AF88F31064BBDEFD84E4D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:26.399{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=08D5CFD1AF5D94FE8BF0B03E4C5EE630,SHA256=206C9728E24FDE881FD89F7C9E3C5CD045CD06344C9DD17CF5F5519F90DE6450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:26.211{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A624C17674071F90AE674822759918,SHA256=317FCE9CD8F0B6E7BA0007D63C9038392F66F9D2D98D83EA7FDF4267B5F69624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:27.974{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABCC3E230AA7EB568815769CD265F42,SHA256=407DBD3865A76D608A23F1122A7B074EA457EBBCDA9FE178883BE3E5AC5CE57C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000401223Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:45:27.790{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000401222Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:45:27.790{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x015c04a6) 13241300x8000000000000000401221Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:45:27.790{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719b-0xa19be65d) 13241300x8000000000000000401220Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:45:27.790{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a4-0x03604e5d) 13241300x8000000000000000401219Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:45:27.790{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ac-0x6524b65d) 13241300x8000000000000000401218Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:45:27.790{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000401217Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:45:27.790{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x015c04a6) 13241300x8000000000000000401216Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:45:27.790{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719b-0xa19be65d) 13241300x8000000000000000401215Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:45:27.790{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a4-0x03604e5d) 13241300x8000000000000000401214Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:45:27.790{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ac-0x6524b65d) 23542300x8000000000000000401213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:27.212{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413FC47D000F37F0339323D5A60A89CF,SHA256=FAA2AADDC1D7F3AF3D5EFAD77556F5BADF3FBCB6D40FE8CA0094B357911FDCC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:28.337{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACA02D624B23D07374BA377F377D341,SHA256=71DB1618098F9735FE408014AB4707882AA63DCAEE052639AA9A4E72C117DA4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:29.478{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1185C85B098D3577B7A66DF6601D9C,SHA256=C2EAF6AC0D24C0154A04C6A26F54C98130898DF7B1510F359EA8AAA241EC4C61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:29.653{D694AEB8-B3E8-60E2-0B00-00000000D301}6566904C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001456413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:26.622{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:29.036{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CC894D20A3050628D75F31AE21095C,SHA256=78356918B9025FD04CE785167AF8B0A06CF3C37F52A589E7A38D9062075794A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:30.478{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4222B639448B6BCB4479914C8145C3B9,SHA256=16A36AED8C795A6DEE5AEFFD06CC995850CB9E6E1DC86098FC8E0583A47D7038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:30.874{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:29.098{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61139-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001456418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:29.098{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61139-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 23542300x80000000000000001456417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:30.674{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4D1E9E4959947BBDF837EA468504DF6,SHA256=B202740E37DF2AE2760EE1725D9D553E13E664F63B2B74F740B6BC0A002B0130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:30.674{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E69347C343153D37748EF230BA7A065F,SHA256=E2C8FC341760254DF94549035B20E3A7013F4BD5FA189E39D91CCD273D949CA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:30.052{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA29CB8BA163F47104D516F1B8912F2,SHA256=2BFF230D1BA26F5981926716AC20E9802D7E0AEE57ABE4839A9400D33B3C57EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:28.954{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-56181-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000401227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:30.009{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EEC2BFE0BA5622A2E4C51262CA401AB,SHA256=764AB1C628776A7C6CD2C30D523AB580A942DB76FA526D792ADFA9B4ED9214B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:30.009{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78504C1C6E7E03E370D43D4783DB5B36,SHA256=72AD248D1F08FB8DC0F119C59822CF89F1E377A467FA221828CC1FD42C8A8794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:31.509{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:31.494{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD6F12BE2C9FAB1C6DC4066D224EC640,SHA256=A721ABF5A1AA228F2221638A5A6E4E75D194DCA5B596B091842C355647633C11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:31.473{D694AEB8-B3EA-60E2-1600-00000000D301}12966008C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:31.473{D694AEB8-B3EA-60E2-1600-00000000D301}12966008C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001456421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:31.074{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09CBF7180468CAE97C68B7DC5CD8DCF,SHA256=D5924AF794A6F9ACA190F7AACD0713B9D05BC6E1BD4B208D800438ADF0DBBDDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:30.299{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001456424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:32.088{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7292DC6A0AD21364D8019B3D316C54F,SHA256=3F5514286D6A03BFF4C702D8BB641963D82939D47477D9D985B8A52292AB79A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:32.494{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCB7BCDE15F8ED06CCBD9B0B0C2B8D6,SHA256=C0024BDED944B871CF7F6BD7F8E5B80615D6A4B7AC8F4BAB008EA07D8362EB3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:30.303{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54108-false10.0.1.12-8000- 23542300x8000000000000000401235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:33.494{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63453205FF709FF403777FDF2AA6CE7,SHA256=8D1B241322A12C3659BFA180E83A0C4D10AFE1258215AC766CEDA8002A8BF80D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:33.103{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8478F583E7F610AC85E905B7A30112,SHA256=DEE6151A41BE1D4331145F8ED7B301BB9F737EE0F7865BF6347C0DBA2841ADFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:31.709{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54109-false10.0.1.12-8089- 10341000x8000000000000000401250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.806{7F1C7D0B-0CFE-60E3-FB0A-00000000D401}6483016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000401249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.556{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E887C3D70867ADD76A587D41DA13EF9E,SHA256=CDE373DAD5E894E220465B82281FFA6751ABAA46F18C3E5CBBE105DCD30A0756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:34.133{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CAAA5BB907DF36B31AC7FDF60B1A4F,SHA256=B07B0DDB3B1991EADABFEDA3CC62BC918BE32A6C53DBD324DCFF45019172EB3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.540{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0CFE-60E3-FB0A-00000000D401}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.540{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.540{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0CFE-60E3-FB0A-00000000D401}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.540{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0CFE-60E3-FB0A-00000000D401}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:34.541{7F1C7D0B-0CFE-60E3-FB0A-00000000D401}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:34.086{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=166CE659F68C8835BC80DABCE99BBEA0,SHA256=C5C8A190DB2DC083BAB069EFE3EA0C3596712965565B7CDB0E745884FED1C397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.775{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C417F2F7E7E7FCFE6B1A20723786A93,SHA256=C900236B0F0E75A6FD35B189F6EF291B00A82787286E2BABD5AECF9303AEA225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.775{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EEC2BFE0BA5622A2E4C51262CA401AB,SHA256=764AB1C628776A7C6CD2C30D523AB580A942DB76FA526D792ADFA9B4ED9214B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.712{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0CFF-60E3-FD0A-00000000D401}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.712{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.712{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.712{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.712{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.712{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.712{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.712{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.712{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.712{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.712{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0CFF-60E3-FD0A-00000000D401}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.712{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0CFF-60E3-FD0A-00000000D401}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.713{7F1C7D0B-0CFF-60E3-FD0A-00000000D401}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.572{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCBB213EA9A79547305B414407A9C93,SHA256=01917E57FFC2FDB3A6E8E476888C2703C3773DC3C550D44CD5C9FB9D3A64A524,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:32.596{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:35.151{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4714B8DE1EF031A04009C427F30F72C0,SHA256=837562A51B1AD2209896928DA8B8B57E86CCCDAF1461CDD9696DBDDE716DB1E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.040{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0CFF-60E3-FC0A-00000000D401}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.040{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.040{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.040{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.040{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.040{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.040{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.040{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.040{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.040{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0CFF-60E3-FC0A-00000000D401}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.040{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.040{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0CFF-60E3-FC0A-00000000D401}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.041{7F1C7D0B-0CFF-60E3-FC0A-00000000D401}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:36.572{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3D578517F5D6A3FEA354CBA47B3C97,SHA256=71FD393CE931AE8214CA993CA52EA1DB390F6CB4B66D7DD6D1A4DF0BB382E74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:36.168{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B259793B813D2016252DCDE49A5CED,SHA256=7345E66C5664639E8BB13C4338E1EA33A798AF9137209BE6A904D4217C9B319C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:37.587{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3775997EA10B028E9949E39651ABF9,SHA256=E666B7544DEAB306593A084E896E35C0935B2623DF81F39784DAAB945AFA5A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:37.168{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A499901FFE01A972884BDF98401277B,SHA256=584255D5BA8A3CAA62E4C1A6CFD5B054546680783780C1BC4AE0EC48779E6875,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:35.319{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54110-false10.0.1.12-8000- 23542300x8000000000000000401283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:38.603{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42834DB04968FDF24175767E638CB523,SHA256=1BE09ADF719E31C5D9ADFC90A2A855C34F0B476AB2CE748D96CA7F3510EC4FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:38.183{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A33F800A76A59C8F145B3F073217167,SHA256=C027974C785B36FE9F84526A90CBBA816BA9461132D3CFDD49B9524FED7CFE5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.853{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D03-60E3-FF0A-00000000D401}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.853{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.853{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.853{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.853{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.853{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.853{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.853{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.853{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.853{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.853{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0D03-60E3-FF0A-00000000D401}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.853{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D03-60E3-FF0A-00000000D401}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.854{7F1C7D0B-0D03-60E3-FF0A-00000000D401}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.603{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BEE4B5F908D1D382DCBCBD8EF27F149,SHA256=354429FE0C495C7AED184D830E473139573675A372E9BAE3770637A24AFEBF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:39.197{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91CE035017748447F0CD0CFDA04E703,SHA256=5EB301FBEB2F57208582953B8939C99E3C609279FCC5DFD0DFC376406022A036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.400{7F1C7D0B-0D03-60E3-FE0A-00000000D401}31964048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.181{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D03-60E3-FE0A-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.181{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.181{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.181{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.181{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.181{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.181{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.181{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.181{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.181{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.181{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0D03-60E3-FE0A-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.181{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D03-60E3-FE0A-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:39.182{7F1C7D0B-0D03-60E3-FE0A-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000401328Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.681{7F1C7D0B-0D04-60E3-000B-00000000D401}34682480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000401327Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAB5AF9F4ED249DA896028A08028CED,SHA256=25F1FC69A60E386A0F4C5230D5E36970B0A1BBB520B1103E8AC84F4CC89CE523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:40.212{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF27080C7030BA17F39EC69A2EB15C5,SHA256=03AA9FC22CF0B30264C35B0D39E0CBA3643D2E065640E7531A2B1515F03C54F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401326Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.494{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D04-60E3-000B-00000000D401}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401325Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.494{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401324Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.494{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401323Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.494{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401322Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.494{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401321Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.494{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401320Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.494{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401319Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.494{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.494{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.494{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.494{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0D04-60E3-000B-00000000D401}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401315Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.494{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D04-60E3-000B-00000000D401}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.495{7F1C7D0B-0D04-60E3-000B-00000000D401}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.228{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C417F2F7E7E7FCFE6B1A20723786A93,SHA256=C900236B0F0E75A6FD35B189F6EF291B00A82787286E2BABD5AECF9303AEA225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:40.072{7F1C7D0B-0D03-60E3-FF0A-00000000D401}30803372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000401343Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.728{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831DDC46CE498583F3A601301BCB5708,SHA256=0F9B72DE327357DB95B08CAD203BF93F28F11701BDE6D9C640A731778E520944,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:38.612{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:41.394{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B94CA5AEBF14390F8ABD6D3F17126C47,SHA256=CCCBEEC7E1553BC7AA35BF1515B8EB5B69C12973EE0BE44C19F2306E12C47834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:41.394{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4D1E9E4959947BBDF837EA468504DF6,SHA256=B202740E37DF2AE2760EE1725D9D553E13E664F63B2B74F740B6BC0A002B0130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:41.226{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3690670881FD903929B137DCB578DCEE,SHA256=EC82376F2B12F2A37B26AF76321C00183EFC5BB7B812DBD69126366B6B547529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401342Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FED22E363B36C8CDA44A83034D6B08C6,SHA256=410898C66A1E92016D12DD7536A949335DD70F750804C258807D4BF7D8A8440A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401341Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.165{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D05-60E3-010B-00000000D401}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401340Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401339Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401338Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401337Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401336Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401335Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401334Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.165{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0D05-60E3-010B-00000000D401}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.165{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.165{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D05-60E3-010B-00000000D401}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.166{7F1C7D0B-0D05-60E3-010B-00000000D401}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401345Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:42.759{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F0636EDBBC5B21153162906C845E1B,SHA256=C01D7BE610CBAC0D36399970931D1FDCEC560B3F8FF19C73DF30D9C422B45F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:42.245{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA470BA27FE74F1D2EFF1B3ABF143F39,SHA256=6C231AA3FC6A3D722180BC28BA7DD89FC1125EDAE98DE98969083D928711EAA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401344Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:41.350{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54111-false10.0.1.12-8000- 23542300x8000000000000000401346Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:43.806{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6061CF7F9579A83771EDCE1898B3EAE2,SHA256=DD39E7CA0C7D6A48C09A5B049FD8B1A538A43DEC0C803E33C7CD56640FA1F574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:43.261{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A9A991918E8244A57FAC98AC37FA90,SHA256=C2051501966CCF0E72E4A8AB6C71EB70CA9AF4AB1935815CF78B2B805EBE43A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401347Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:44.806{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3474CE0B235251E24FC7FDF3D54DC32,SHA256=2550DF138598387F1BB63D0901CA3C70EF6E3BC832F4E29D6BE7C54344A7AEB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:44.275{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DC32BF9F7061AD9392E92FF9379CC2,SHA256=79943CF7094EF031688F2B118E0BEF6AB48938A3D2F61BFB146B53D22A92EE92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401348Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:45.808{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E099DA61956767819F0CBEAE8D998C,SHA256=D6D8F1AA08988ECDEA82EFA94DBE54E6D2815AB19CD9BDF620A1EBC7454FB3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:45.290{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580B3744365035D343329B17C00B8C29,SHA256=3C3820F2DBAF1E379BB50E5DF88A55AAA047553924147F2EE158DB54F3F82570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401349Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:46.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C5F850A998D1B2B181E0BFBBCB7F23,SHA256=82B9792495C0870E40AB2483B176B599E8F965C6D7218B516AA8AA9473FC2F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:46.304{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0746BAF8616AC5C5DFCF29B7CAA15A3,SHA256=976FC1F6BB6A43F0B69C48363E251D1B80CFACC27CDABAA36A3103514FADE530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401350Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:47.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4320CB53E5103171A98CB1253A025791,SHA256=9EF5323F311EDBD0265C693894CE14B86086BE716D806244F253FDB1DDFF2125,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:44.636{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:47.319{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC0B06AEA7D74E6FAD06B8AC0F90AAB,SHA256=B4B5E77D85B70F4C25CAC77603DB2C1C60A10C8B13E2113035169AE1A8E532B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401351Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:48.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779B2B72640B8EC64C782EEEF682058E,SHA256=BD61044659E33127CDF98EF00B5E8D26A50651136B07247E682BD7404FFAAA75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:48.338{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10BB15DDA140213BE6EC723ECF6D3DA,SHA256=99FD0A7FDA35E48709E9A0060F44B719EDB381A99F45E3C6B4CF47DAB79676A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401353Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:49.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2862BFAABB51A0B7276025A8644D5FCB,SHA256=5BEC1349B60C2D86721EE86193D7D754276B4BE185B50655B6742230137A5DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:49.354{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CAD524B8C22BC02DE98DCBA43BA2191,SHA256=E8F584A74112CA615EB174D360823E93BA2716F9F924E9F3483A5070EEB11D3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401352Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:47.338{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54112-false10.0.1.12-8000- 23542300x8000000000000000401354Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:50.825{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316125FF2F04B198832DA40F86B4E1C7,SHA256=DF699018F840B2DA2DA7934B8C165BA78264E35221DFD13B5261E65437DB9728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:50.384{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F5A4B33DE2C59FCB0AA7EC4DDB55B7,SHA256=5408F8A04CA2F2C2112BA05E3386E0D84BB00E75599B2F9F70827709C52DF581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401355Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:51.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDAEF5F6F1BCA16FF5FD9553EF9309B8,SHA256=D69B5B168FE0926CBD6E892172D3211455E931273E035BB43F8CCB134FB01100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:51.414{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6C5B44E5343A539CE560B0FF924074,SHA256=A5076929BCC0DFB7AE5ACDF32552E0B621D740A6FA2C8ACA1F3A0ECA76658429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401356Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:52.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4581103657A6D5C65BCFD7E60FA09C9,SHA256=2A704539FB521BAE5463F295D8E9DFA10D2F064499CEA58117313812153A814E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:50.629{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:52.465{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1C5CD45FB92E3100DA8C05BD6A694A,SHA256=96BA76B5FE6C3AF45521CCAA7015617604D9E15333F269B67627D8E3D11246A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401357Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:53.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613F1F57EDD5F055F3FB089F70F69B18,SHA256=CBF4078E3ADEAC896ED2BBABDC52F218EFDB290D333CC434DCFC9C731B633DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:53.496{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C3391DFC8B48C2763337003A0228EE,SHA256=7F495404739DADE69ABFB13F149C8D2B1149193F640B967930C40B10FD2FCE2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401359Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:54.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190E19D49D73AF3D1F566436D5D93D13,SHA256=87E4BBC9901E13F35FEAC1C5656D64D478B4E66F7FBE15E5EAFFAC6D0DD96F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:54.529{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FFB919D127EADF3C55278033407C10,SHA256=1211741E112EBA1563D89F9F375FF1777993E67F150335C05C1F32249C21DF6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401358Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:53.323{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54113-false10.0.1.12-8000- 23542300x8000000000000000401360Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:55.888{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B100DC2D428C2D2908A7A7258752AF8C,SHA256=8A5B85B837174F0B238E6409ACD059ED6557CE3DB09FD3EE7AF2A4962AE12289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:55.562{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95258002CFD8E61E17A99C07206B7880,SHA256=00640BE57249FA3664B96822A9785912EB04204DC812A99EA2B1646B9C115A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401361Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:56.966{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2858B6456AB2278EEA903E395C8F2378,SHA256=DA356711C5F42F7E4BE94BBFFB75C4DCB41C4C71DC9FAE9D2D29B7B08AC9EE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:56.592{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA43FB09AC6BAEDABE7D68527F1A185,SHA256=279C83EBCA8C45A6354F029C6D529094C406D6874463A6FC5F5C7385789200F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401362Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:57.982{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584C1F77FF653622931AF485E9F132AD,SHA256=6FFC9B6206896B8FC31FC81E835C92D61B2232F6957D76CDEBBE47B5D4E08212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:57.624{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC416BEA98C56C06EE30E4666423905,SHA256=42E4429D33530B3B52EA74D22841F7F750A604708B86F4F7161E20DCEA72C1D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:58.842{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D16-60E3-930B-00000000D301}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:58.842{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:58.842{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:58.842{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:58.842{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:58.842{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0D16-60E3-930B-00000000D301}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:58.842{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D16-60E3-930B-00000000D301}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:58.844{D694AEB8-0D16-60E3-930B-00000000D301}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:58.658{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD887AB5C0BF5F718CC40FF8DF0FC8F1,SHA256=4012A680D94284BD835B09B0E887D0C14CE6FEB7F86161639667C8C22FD694FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:59.858{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADDDB5CD52C53EC8A722D29BB56BF051,SHA256=0DF31165823E3A3E033F033F5464465008001A510E3C713A9E56476A595F50F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:59.858{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B94CA5AEBF14390F8ABD6D3F17126C47,SHA256=CCCBEEC7E1553BC7AA35BF1515B8EB5B69C12973EE0BE44C19F2306E12C47834,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:56.654{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:59.704{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B344D1FF5FDE3FFEB6FECDEADDE541A,SHA256=B9BEA903C55EC7F778F204C9E59072910835E5E3A29F0F7CFBA0781E90B93DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401363Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:58.997{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE83BF05B171EF9F9E880127E82FB71,SHA256=33EFA1DD204093DC39DF18E39C4B69D45575ECA389C0B406177B6128F8FDB33A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:59.657{D694AEB8-0D17-60E3-940B-00000000D301}23124756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:59.525{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D17-60E3-940B-00000000D301}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:59.523{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0D17-60E3-940B-00000000D301}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:59.522{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D17-60E3-940B-00000000D301}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:45:59.521{D694AEB8-0D17-60E3-940B-00000000D301}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456488Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:00.726{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB4E85060963BD6FAFDB697B0FC40E4,SHA256=8428E54D6539149D599FCB5E96BEB3F1D9F11095B955133082CFC3653EF7828A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401365Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:45:59.276{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54114-false10.0.1.12-8000- 23542300x8000000000000000401364Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:00.075{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E7613058B7438663E0CA1B09F8C99D6,SHA256=63FF3626C2641AE8F6F0D0177449980B3E315125E6A18FCB731E7EF53ED187B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456487Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:00.189{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D18-60E3-950B-00000000D301}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456486Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:00.189{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456485Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:00.189{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456484Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:00.189{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:00.189{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:00.189{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0D18-60E3-950B-00000000D301}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:00.189{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D18-60E3-950B-00000000D301}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:00.189{D694AEB8-0D18-60E3-950B-00000000D301}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456490Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:01.740{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABADB46575C651B601B7D610BF3C231,SHA256=96FCEA6516FA3B9D7ADCD8FF4716BDA56BBEFA8FA76771FA95CAADF0FFCFA733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401366Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:01.091{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADFAE4F8384DF85CF53F1112EA64FED,SHA256=BB64F4FC234D90A848DA1BC507F47308B62D279584F32B603F311BEB767A8E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456489Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:01.256{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADDDB5CD52C53EC8A722D29BB56BF051,SHA256=0DF31165823E3A3E033F033F5464465008001A510E3C713A9E56476A595F50F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456500Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:02.939{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306D0CFD24BCE2F59C1DF65357914658,SHA256=C73BA811C04E6B35CD840037C56C9A6807DAB00C24D89197D40A68F1C68DA4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401367Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:02.091{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738B9F3DD53FAD1C475605512C11064C,SHA256=F0B983B3B98719D7E4CFB963F94F86F1E2166444DB9FEE22ABFED0CB42BDF6AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456499Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:02.624{D694AEB8-0D1A-60E3-960B-00000000D301}36804748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456498Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:02.471{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D1A-60E3-960B-00000000D301}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456497Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:02.471{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456496Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:02.471{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456495Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:02.471{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456494Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:02.471{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456493Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:02.471{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0D1A-60E3-960B-00000000D301}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456492Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:02.471{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D1A-60E3-960B-00000000D301}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456491Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:02.472{D694AEB8-0D1A-60E3-960B-00000000D301}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456519Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.954{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92A991CB1F1CEE0FBF7150792D437CF,SHA256=390458AA2A83FD94D65CB326413AF114F91E6973EA319BFBA44D66B2111C433B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401368Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:03.091{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5BCA0C6F3D7965BA81F51DDB89F3B1,SHA256=DFF78A4EA204AF33EC80E7DAF5CE98631F8A9116C6C2E4DF4C8D6DCDC9A25947,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456518Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.654{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D1B-60E3-980B-00000000D301}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456517Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.654{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456516Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.654{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456515Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.654{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456514Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.654{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456513Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.654{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0D1B-60E3-980B-00000000D301}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456512Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.654{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D1B-60E3-980B-00000000D301}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456511Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.655{D694AEB8-0D1B-60E3-980B-00000000D301}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456510Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.521{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA480EBD441D2CEA74E0456604B6BBDB,SHA256=CA2483D9341A464BAE38A06B9F9E7B0B218068199232A560812154C94339346D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456509Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.186{D694AEB8-0D1B-60E3-970B-00000000D301}59002696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456508Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.039{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D1B-60E3-970B-00000000D301}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456507Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.039{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456506Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.039{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456505Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.039{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456504Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.039{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456503Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.039{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0D1B-60E3-970B-00000000D301}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456502Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.039{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D1B-60E3-970B-00000000D301}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456501Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.040{D694AEB8-0D1B-60E3-970B-00000000D301}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456531Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:04.972{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA7911B20CE681FC2DDE85F5A5AD8E0,SHA256=6DB52C3644D7FBD184052EF7D1722FB8B3A6A7B29DF23F9CE8428C9C2A747970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401369Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:04.122{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18554DBE6C2634BBA9FBB5D2033C46DC,SHA256=2D49665CEF4DC50CE7CCF2450D2872861D11BF5BBA244EEF688D1CB6B3F18793,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456530Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:02.648{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456529Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:04.668{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B04E9819298285F085B153B86EDC095,SHA256=F71289093BCABA5CA9D797CB29F5CF47CB63AB78083FFE5492178F6C221D2A26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456528Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:04.500{D694AEB8-0D1C-60E3-990B-00000000D301}62525212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456527Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:04.337{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D1C-60E3-990B-00000000D301}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456526Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:04.337{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456525Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:04.337{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456524Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:04.337{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456523Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:04.337{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456522Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:04.337{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0D1C-60E3-990B-00000000D301}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456521Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:04.337{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D1C-60E3-990B-00000000D301}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456520Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:04.338{D694AEB8-0D1C-60E3-990B-00000000D301}6252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401370Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:05.122{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68E3CE8A28E68A0BA3FDDC34A67DEAD,SHA256=73A0C30A6707989621C1BF4C4CD25994C90D3E104DD215EAD1068F8944D8FF16,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456533Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.485{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61147-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001456532Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:03.485{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61147-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x8000000000000000401372Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:04.463{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54115-false10.0.1.12-8000- 23542300x8000000000000000401371Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:06.122{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE9D0BC4100FA4C5007CF21E4D0B05A,SHA256=86F5A4CA56619B89055FDB400E9D7CFF9BE4D139BC91A5EED27CFD5F2EAB87FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456534Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:06.002{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550FE67AD3070B1E67A7B5DC9387EB42,SHA256=60202068BF157A601FAF9F63324E8774F32AAD0866DABDB96F15C6D821B050CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456535Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:07.039{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268C8384964427E4E68F808663A1F03D,SHA256=FF7D7B20188796114B55DBBEF662C361C5E3E3987CFA3F00D7E347A14A662FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401373Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:07.185{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB6124E9A6D6ADA472BFBBC98232FC2,SHA256=11BAAC9615C593963F608FC9FC3CFBC839D9B4E8DBA835212F3C1B9F9E5DDE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456536Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:08.053{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D659C4D4EB76BF907467A93A6F3A56,SHA256=5A9FF3E3D89580856C858BF9D72E9781F6BDFCB226930275096DBED24312936E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401374Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:08.294{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A066468F16B93E680996F230EC4BFBB,SHA256=8E4C979F0C218FEED557F7FEFEBC0765393993D9940FE88F3EEF4FB6FF36CDE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401375Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:09.294{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C079C7D2A4E66B046AC62B4420EF33FD,SHA256=B563E5CEA739BE23B2A51CDDA985CD1445C345CB977273AA8B0E5514549A2B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456537Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:09.069{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C14763BF26DD2E4FF3FE512F79F20EC,SHA256=9CCA2CFE35A5492C8F6015A3EF6834F6EE6041B0ED3C7F40DD66896D7375B4FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401376Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:10.310{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EF2795A605B2786AA6C051FA2A4C46,SHA256=6CFF5D30F1D5849DA3A80FB1A4538AB5942089623D34026CFDAA426DE45F14D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456539Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:08.646{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61148-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456538Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:10.083{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A516ADF99F5EAE2D76CBC13B415D602A,SHA256=93768B8CF410A226B32CCE18CE28603A446987F24C532B51991C723F6F7AF826,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401378Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:10.417{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54116-false10.0.1.12-8000- 23542300x8000000000000000401377Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:11.372{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1598AF14F8AA26C203C640E5E5D80B5,SHA256=1B5C30C398120FB5C55576CBA7F6B8F8BD45188E446C5EF00C39260A2A60E199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456540Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:11.098{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3139E4FFFF9D16E8340E8AF012581ED,SHA256=DEA9EB1BCB47B63C6F170BA4D34268B30684F4DD87F226E105676120193682EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401379Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:12.388{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006D0285162253806F408589ECEFDF50,SHA256=17B60C3F0DEAB05DCBFBEA556E03CD7B5B7FC4B690B2B4193BC1EFECBE876984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456541Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:12.115{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73EB77389B4E9A443D72EBB580EB427,SHA256=BA4086BD51654D415A72B6BE361AA4C1AB4C16F190BD55F6CF9550794A2BAB58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401380Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:13.622{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE887DF61FCB2DD3E193AAAF2E18A1C9,SHA256=07F9AD2E257BAC1DEE4256F8F17F12446932F53BB62C170A0DF7C66FA0207AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456542Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:13.134{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6E8AF9EAD8B322952AD41C6CF6C99A,SHA256=EF32B3132228A8566B338133C7BF9A80FFE182CD5725354EEA44F875D3EFFFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401381Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:14.700{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0B39CBAF6AC04F87546127B6191F49,SHA256=10E69A07110188F848FA06B6AB6E741B89A73CD19176B5B5CC3D4E157A32ED46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456543Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:14.149{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FF54094829AD0E4B3E9C7B9E2672F9,SHA256=93D7A5AEAE77995D1684B91F17416B03B5DDB093DA313D8BE948ED32B90C088C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401382Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:15.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A042E0286FCB7BA35216FB014EFC5A7,SHA256=071EFBB6118B612B11FB22E7B3788E97E1CB6C61748BD07A5E6A8A762883465A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456546Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:15.631{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95EB92F578B27C6C7BC04A5347F9AF1B,SHA256=E74FA658BD8AFBADE71B2857F4C2FDE3B3008C57C45ACC3F0254AD5A1BC25E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456545Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:15.631{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B61304D40B087C7AA7970FA90E35BFD9,SHA256=12F0C11690DB3CC53FD07E72A92DB3CC5229D73E285D0850D671C241694E999B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456544Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:15.163{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23555B38AE02AEBBD2C5943ECAC87535,SHA256=88B24CAC743C44F4327CDC54959D2E19A2C87899DB4C443A8E72F444858E890F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401383Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:16.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA885F1FAD10BE83235B4A33529B4DA,SHA256=7128FF5BAA701072CC7FBC774E9B2B652766F8E983E385004AB4DB29E7C65657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456548Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:16.193{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163B843FB1562F5FCF648CDB3A457DFF,SHA256=F81938FA957E146E46FF149B9F4448FCCA639511AE76B1A1F0A4651109CC0989,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456547Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:13.348{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-21095-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 354300x8000000000000000401385Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:16.433{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54117-false10.0.1.12-8000- 23542300x8000000000000000401384Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:17.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CEAA9FCFF0E789FED84F1652C31F16,SHA256=819660B338BE8B4F00718F642AA38519DD1751B1D515F42F1CB52DB4A1D0EEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456550Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:17.210{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044DCB006FF6114C4A4680D22D9DA5E3,SHA256=4A1E8B67067914F03E38A76FB7969815A81D2A34557DEF4D606272717E83AF10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456549Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:14.656{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000401386Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:18.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E1C4E0B2CCBC0C1E526715F7942EAB,SHA256=611DDD658F76222DD2B1F43F4CA8CB269BFDAC14FF42EB79CD57F86F8F4A9C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456551Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:18.228{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC499E83EE6B62BBADFCCF4263316CE4,SHA256=A89AC435C49EF19E70165253364FD6B67628D6AEBA9561D1246DAC85B71DEE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401387Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:19.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA6C46CBCA9B32D54E0FFFD7342D53D,SHA256=FB73FF5BA839462AA0092D2C7FB18C4C7901A595D4FB54DB9089C8701B7FE26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456552Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:19.242{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE966D2D2D180380EF892232FFD07CA,SHA256=5FCB6729438DF6A773416A6206B21F81AB023D6CAF7D303AD0F9A851ADBCB918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401388Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:20.825{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74188E0C5704846DE9A00CEB2F28D082,SHA256=9C8C27C72D80E01337661A067BF923AB3AC7C60D79E5CEDC345329947B2D6182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456553Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:20.256{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA74AA595AD06C397234AF0030B0F2B,SHA256=504F673D6B74E066E2AC151FCC7399945302EB9CA3DD17A61EC9014AB3BF34E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401389Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:21.825{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6FBFC0376738FD4B9828857DA4975A,SHA256=1BB9CAA7EA9B35CFBF7250A9F7C5A84B972CAC11DF1D0DE10EA7504D9DE254F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456555Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:21.870{D694AEB8-B3E8-60E2-0B00-00000000D301}6565444C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001456554Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:21.271{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36019A54B568D16A2BA0BB78CEEDEA0F,SHA256=B350257C9706B37401DBE9B904E89EE85DF5C1BFAE5E7971F2868156D6C37C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401390Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:22.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A2DA340B402EA9FF12BF355FCCB7D3,SHA256=1C03DC710B3DBC1A31AD5DAC5C8FB1C98D1AA95F568F2739FC9111A47427848A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456561Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:21.204{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61151-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001456560Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:21.204{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61151-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 23542300x80000000000000001456559Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:22.785{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=261C5F57A4476512B65268E3A3EA1FFA,SHA256=11DEF9BE3E31D105C5D322FCB68F793389986A3B1BB92FDE323FD48DF3AEE0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456558Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:22.785{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95EB92F578B27C6C7BC04A5347F9AF1B,SHA256=E74FA658BD8AFBADE71B2857F4C2FDE3B3008C57C45ACC3F0254AD5A1BC25E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456557Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:22.306{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED7A74E5CF746D33D4D3BE56FABDB35,SHA256=93FD829B79771C21F9FC846FE7A53445B5066F78985AEC684425EC47DEDF9549,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456556Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:20.617{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000401391Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:23.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75140387280CCFE99E58A9A8E540403F,SHA256=32427F6B3327603A03787BF7BCBB01885DEE8612230FE17FEBF1ECCFFB5EE93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456566Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:23.338{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735F02A0BFDC6915B681759D6693AD2C,SHA256=ED9D035E32993DFEFE1835B6F5A51F66E1796EF5A5C88FA1199EFBA3AAD1075D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456565Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:21.320{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61153-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001456564Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:21.320{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61153-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001456563Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:21.211{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local61152-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001456562Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:21.211{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61152-false10.0.1.14win-dc-201.attackrange.local389ldap 23542300x8000000000000000401393Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:24.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8C91154E3A0E11E25E3A29B9A1E59C,SHA256=02D44DBBCDD558E8E685BDC5A9A244913161D1151F45C25F4CB76F6F6D936DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456567Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:24.352{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F434735B40F2A7AF908EC2C65CE932,SHA256=F967405EA976073F6602C2DAF901F299D27638E1E1E2E2B9DF1DCEAB3418B333,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401392Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:22.401{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54118-false10.0.1.12-8000- 23542300x8000000000000000401394Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:25.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B177A2F6F0A4FAC1BB46B16DA3250448,SHA256=BF01110D0D5EF1A2DBFA5366A768508570F4E1005682032496A45F856F8B70F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456571Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:25.367{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838113437E7943774DF8210287050B95,SHA256=FB125E2946DCC8891EC4953DA58767A53FA9046B546EF04C06EE8FC4742A58A0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001456570Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:46:25.005{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001456569Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:46:25.005{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001456568Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:46:25.005{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 23542300x8000000000000000401396Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:26.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC4DDE7E4C89DAB7537C0857BC14823,SHA256=EFD0FBBB2163BCD8A2902A97757C92A62CDA1B7717AA04E0413EF5B3E9E50E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456579Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:26.451{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F74E7BFC8C0F3F1C34E42EF12A40363,SHA256=42C5B1D47C31FC6392EB11325D51A35DB265034000F1CC91E58405561F1C7AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401395Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:26.404{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D77901BEE943884E1DBD9284A9DC5147,SHA256=136F3CF070C1FEE53ACFDEFD1D53D2E7A326E9C536E0D713A88FC5498F06678F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456578Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:24.465{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61156-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001456577Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:24.465{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61156-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001456576Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:24.459{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61155-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001456575Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:24.459{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61155-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001456574Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:24.446{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61154-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001456573Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:24.446{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61154-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001456572Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:26.020{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=261C5F57A4476512B65268E3A3EA1FFA,SHA256=11DEF9BE3E31D105C5D322FCB68F793389986A3B1BB92FDE323FD48DF3AEE0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401397Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:27.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC84B9744F1E6EF6DC79ECBBE433101,SHA256=58B29C9597A171F8E8F231A1BD471E911B7FEDC16AE3E314654D4B19B91175F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456609Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.581{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA76E14CBD0A1F24C4DCE8D81EBE8470,SHA256=F82842D34E561805246B39B4843FC75B12730E5CD751D1D34DEA1C08D9EA5B64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456608Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456607Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456606Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456605Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456604Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456603Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456602Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456601Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456600Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456599Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456598Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456597Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456596Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456595Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456594Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456593Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456592Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456591Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456590Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456589Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456588Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456587Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456586Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456585Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456584Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456583Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456582Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456581Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456580Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:27.019{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000401398Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:28.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D00D12068FC4E66555EE56E3874338,SHA256=BD5B23A01CEF6E56CD37830CE0F16A7D3EDBFD0F39A805E9FF298250FF332BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456610Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:28.598{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A9E902BF96F4C0D9F2B0C0856445A7,SHA256=44C3FF7287DFC75BFB6C5D20A8EC3238259E2F6294CDF854EB681DC730D10AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401400Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:29.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041C6C00EFFEF7E1D1883BC76B121E68,SHA256=C2F320917D282617A256054EA1EB2821515E7F58F17A8E64F9C50A959F6621D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456612Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:29.617{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9F5F695EB49D983DDF8424CD7DB57C,SHA256=96182EA3224DF1ED04F6EDD65A61FF7D404A0AB7F71977B4538D61DCC3AA8DA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401399Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:27.401{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54119-false10.0.1.12-8000- 354300x80000000000000001456611Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:26.597{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456614Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:30.899{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456613Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:30.632{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA287DDF7C6C7D4D2367E680E259B79C,SHA256=F19183A2DA9600A42BE642280524DBD2E77915D00F8DAAB55FF7E95347A0F520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401401Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:30.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357B6560870EADC98663F2BCAD174C4D,SHA256=53DE3F9609E2B11210043706A9C85E6D281EDE1B7362AB2D97F00871D4E66A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456615Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:31.678{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C58361D0EAB1778CAB6EE13EDFF1ADA,SHA256=380407E1FFF4DB7310909ADC9758A886DE0BC61497FFC39D34DDEC9E9BFC5263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401403Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:31.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8A54DA4E896FC0073C4A9B7B076FF2,SHA256=81FC69FD4D54D39A8BA7A46BAE7177DC5C55E80975718D4E914C63C1E5F561BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401402Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:31.529{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401404Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:32.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90FA50097F2314B51D573EB61392F1EA,SHA256=E01E290FAB476ED2587AA97F6D737FF94CF327A3E871E0955F363402D38D0A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456617Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:32.695{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD86D3FFB8D6F339D21A3B59C07621F1,SHA256=B479CEA17A4A74FB9426944051EB84D0D4218D0CB8F189F4E7066AAC66D683FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456616Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:30.326{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000401409Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:33.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267D5485808F9C4AD269FA0B25F83BBC,SHA256=1A232359D9ACEDE2011BD8B68540C20CE75274303E26390DA7EA6D44ADCCE69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456620Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:33.729{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BBC85F5B796EB32BF3C866EDB12EE97,SHA256=460EECD83CC84EBE2B08570939469525F82D59622282E8A85EADFD44386EC9B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456619Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:33.729{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21364C5F667E55D7E9364188632D4519,SHA256=D8B9AB51C4553723D0304FA0571DDAB84F27724A0CE9329E7DB67EB78853F152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456618Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:33.714{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855D719AEF51BEF9E32FB294818B544C,SHA256=E3FA9A445A127A0287EDF2DAEEA02043DAEB6CD3A328FDD25E150CF013F99A25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401408Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:32.283{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-56377-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000401407Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:31.729{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54120-false10.0.1.12-8089- 23542300x8000000000000000401406Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:33.310{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6644B1BF96F33C165E77513A848D14E7,SHA256=8EF39A974069FB924EB48072990FAA65EDC693BC4B8F8F89645A2323BB2135DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401405Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:33.310{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=365D71B7903B207A0648C7E811994C78,SHA256=ECB9DBC0D8DB8C29E0C741549FAD19756BE7FD18887F4ED4DD205AE76412DF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401424Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBBDC76C3146FC5E45A57EEF538CB097,SHA256=2202303FFFB4CE51A8403E4D76F7A834ED6DE33D47FE3E0735ADE43E952327DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456622Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:34.728{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760FC7F447099B02FC832B1F0D78CA87,SHA256=147E4504A2DCE36A80540CF50FBCB461E2E733718087AACBA7D6E976B9C8982F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401423Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.544{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D3A-60E3-020B-00000000D401}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401422Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.544{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401421Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.544{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401420Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.544{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401419Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.544{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401418Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.544{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401417Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.544{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401416Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.544{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401415Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.544{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401414Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.544{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401413Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.544{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0D3A-60E3-020B-00000000D401}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401412Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.544{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D3A-60E3-020B-00000000D401}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401411Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:34.545{7F1C7D0B-0D3A-60E3-020B-00000000D401}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000401410Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:32.417{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54121-false10.0.1.12-8000- 23542300x80000000000000001456621Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:34.092{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D4D8F6D1A8D7967511377E1671751845,SHA256=08854EECB0220FDEE4945F1130DD720EF2152A4BB6641408A6B2BA295D15F0B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456624Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:35.742{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1798455C93442545325BEA61E6AF07CA,SHA256=72FDC2209F001B5CF91A6F52B1F4B2E9A26886F73C75CA091784DD30BDC101E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401452Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.950{7F1C7D0B-0D3B-60E3-040B-00000000D401}40242556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401451Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.779{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D3B-60E3-040B-00000000D401}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401450Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.779{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401449Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.779{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401448Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.779{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401447Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.779{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401446Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.779{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401445Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.779{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401444Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.779{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401443Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.779{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401442Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.779{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401441Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.779{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0D3B-60E3-040B-00000000D401}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401440Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.779{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D3B-60E3-040B-00000000D401}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401439Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.779{7F1C7D0B-0D3B-60E3-040B-00000000D401}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401438Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.763{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6644B1BF96F33C165E77513A848D14E7,SHA256=8EF39A974069FB924EB48072990FAA65EDC693BC4B8F8F89645A2323BB2135DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401437Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.107{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D3B-60E3-030B-00000000D401}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401436Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.107{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401435Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.107{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401434Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.107{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401433Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.107{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401432Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.107{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401431Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.107{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401430Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.107{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401429Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.107{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401428Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.107{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401427Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.107{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0D3B-60E3-030B-00000000D401}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401426Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.107{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D3B-60E3-030B-00000000D401}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401425Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:35.109{7F1C7D0B-0D3B-60E3-030B-00000000D401}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001456623Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:32.592{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000401455Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:36.966{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C7EBFF232B64A54CFFDF466D5BB63A,SHA256=615C66A52CC591F51254000D536D0E8A4CD5519EDFBB3EF0C5E978899BBAEC00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456625Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:36.773{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30923F446F220B1772D17EAF43AFC9E3,SHA256=5FED1925EA53355D1D8F9C0C0EF0A053E94D8BEDCBF0CCF284DA258F0AC85E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401454Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:36.794{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D94970A6CAFD8D9704B18165C8E1C23,SHA256=425B5A3B431C1AA3F31B4BB8112CCEBA58F0EE5990B99B57EAEDB25AC30CB15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401453Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:36.247{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507DA87099982D5511C0B796F047096D,SHA256=9231F54770D91602BE6B93AB2959A9844F80B56E00777E89BB507506688DA34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456626Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:37.789{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1423B5BD56472F1196D8846EDA16CA,SHA256=9F00B075A2B65923E62226E909CC6766FAC33238998CB7A7A33DD9C90B69D3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456627Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:38.807{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EDA7D1ABE4EA6E67F70515B6B47DD1,SHA256=23EC30D241AC8CFDDDEC47575E8482DF3E9A4F3A1AE90BA45EF107F1FB98407F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401457Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:37.417{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54122-false10.0.1.12-8000- 23542300x8000000000000000401456Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:37.997{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7929C01D578BC1C4414325AA09885E,SHA256=8AF5F6237E2880E38356E462123967794F443356A6EB1B743D230BDB7E6000D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456628Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:39.807{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CC0A4ACDD062CB0E4569A1382E60F5,SHA256=8AF6D1730BDC9D43CFA2D64E34482692AF084A2737BC9214103CAA21874CDDAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401485Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.857{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D3F-60E3-060B-00000000D401}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401484Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.857{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401483Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.857{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401482Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.857{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401481Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.857{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401480Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.857{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401479Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.857{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401478Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.857{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401477Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.857{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401476Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.857{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401475Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.857{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0D3F-60E3-060B-00000000D401}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401474Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.857{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D3F-60E3-060B-00000000D401}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401473Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.857{7F1C7D0B-0D3F-60E3-060B-00000000D401}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000401472Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.388{7F1C7D0B-0D3F-60E3-050B-00000000D401}37404008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401471Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.185{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D3F-60E3-050B-00000000D401}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401470Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.185{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401469Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.185{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401468Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.185{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401467Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.185{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401466Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.185{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401465Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.185{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401464Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.185{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401463Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.185{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401462Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.185{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401461Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.185{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0D3F-60E3-050B-00000000D401}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401460Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.185{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D3F-60E3-050B-00000000D401}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401459Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:39.186{7F1C7D0B-0D3F-60E3-050B-00000000D401}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401458Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:38.997{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29385D13C5E883FCBAD65115AF6B2E73,SHA256=F6A05BB6C50B440BB2CD03695A0A37F9EDB2B806CA30B03BCFA4F1414CE374AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456630Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:40.869{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892CE3EAAEE3388ABCF6480DDC5DE003,SHA256=AA66ECF98DB7A1FBD5457B3DCF7356C0960C963BB32C80070C6973A3D537FEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401501Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.436{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192E6098D9A9C896CF7FB6B691D76DD5,SHA256=687A4E95CB6E3617023259092CFC5DDC4E46216CC6BC8A15406D5FD4702D0997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401500Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.436{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAA7225B2ABAFAB8C582A166AF1293AD,SHA256=E75AAD9CEECFE35A3CA3B7F824CD5B5C6F0DCFC02ABDEA430B12D6B051D2CBE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401499Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.357{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D40-60E3-070B-00000000D401}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401498Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.357{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401497Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.357{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401496Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.357{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401495Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.357{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401494Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.357{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401493Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.357{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401492Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.357{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401491Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.357{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401490Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.357{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401489Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.357{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0D40-60E3-070B-00000000D401}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401488Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.357{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D40-60E3-070B-00000000D401}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401487Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.358{7F1C7D0B-0D40-60E3-070B-00000000D401}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000401486Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:40.060{7F1C7D0B-0D3F-60E3-060B-00000000D401}27362360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001456629Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:38.616{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456631Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:41.887{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349C73A2311D1B101770783658FC5D1C,SHA256=08E922E79E1E0D23347CF8487850DDE344A81D23FA8F585E8F2D07C7107A25B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401517Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.591{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC2A59FDB34DFBCD9642A05C7D510DEE,SHA256=1C29080A720A641C7712537E891E62D642467C6A93A1457F4C83BD491D277219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401516Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.591{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F98673C61E5AC9185631E58C6E8CEF,SHA256=A01B6E2CB5731B1D74824AE06B178A3F9FB379A01CFE3067F4BB2869CBFF2EC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401515Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.185{7F1C7D0B-0D41-60E3-080B-00000000D401}3112696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401514Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.029{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D41-60E3-080B-00000000D401}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401513Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.029{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401512Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.029{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401511Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.029{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401510Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.029{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401509Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.029{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401508Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.029{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401507Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.029{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401506Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.029{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401505Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.029{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401504Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.029{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0D41-60E3-080B-00000000D401}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401503Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.029{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D41-60E3-080B-00000000D401}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401502Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:41.029{7F1C7D0B-0D41-60E3-080B-00000000D401}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456632Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:42.904{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424728F2DFE8DFCFF2E8FADD411AE54B,SHA256=432BF60BD0D91746EFA892A49F50833343D39867C845FB200162332E0085A2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401518Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:42.232{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE4B301888DEF51C6029BFDC84F09CA,SHA256=AEAB0E23C9775440A5B896C5F6B82E6A6CE3B7F8D72412E41E4A38BFD4A3DC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456633Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:43.934{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F1B4DE512F1075AA03C30E82A5868C,SHA256=05AF8A5B019277C1B30EAFBAE564AAA8FE2DC619644F365F1A8B189106EABB28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401519Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:43.404{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E9BA92ADCE8C5DF6459E7F5C7C9CCE,SHA256=662EACCA35B0C900AAF77E356AD613B78FFAF7351F413C5C19785525451DF963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456634Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:44.949{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F20607CA3682262F81708D35918DC8,SHA256=7393969BA0F82E89EF64973E8F6690B6CDB0EDDF158B8B8378787BA31482ADB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401521Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:43.417{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54123-false10.0.1.12-8000- 23542300x8000000000000000401520Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:44.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D765793575DFCF48147251C73853746,SHA256=5621CF0A604C5266B80D72D2EC17AFA92875FA93A30880CD49B94D3068C89AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456635Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:45.964{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D65BE45E22D3D518000D31C133EC24,SHA256=725AB825573CF5561F474401199FC0A407A9C5E645AEE8F49489990F2C3AB96A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401522Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:45.466{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27E4C10404EA2620612982B0D44B30F,SHA256=61D4563C2B58EB1E19420F9D075BF559D85936B8CD470DCB7FF15FECCCA3FD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456636Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:46.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929FD7052866CAA5751D3CC222F51049,SHA256=754DC67E7C091EB2A250A50AFDE02BEBEB43A239FA09E9C70C0685D7512BFFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401523Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:46.499{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E8D189E3E0726E2B389316E045AC57,SHA256=B228562ECF5A2EF403E12BB73CEB8F2072467453DF33516A6930258FBCA87CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401524Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:47.527{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F6BC06CA90E0F2B3F45FFAA9E79A6C,SHA256=312A42A0D8C4D57D8B95D21C2B0556C34DE8B137EC1BB59D30FF96EAA5DCFF00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456637Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:44.596{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000401525Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:48.530{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4423339E7C1FA13408DDE63AE6D415,SHA256=2874E79C99C91A8CAAB95504FAB514DBD38BB729B460D29A7016E3AD76513BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456638Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:48.001{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D11163B3C0861F0C56FC2014935939D,SHA256=74076A0C4AE641BE38874CB1A459D5F3C5D1B421F6A1CCC91B9B834F400680DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401526Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:49.530{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75C39966C97EC4789163E9A1BC98014,SHA256=23FF659221C227E2E0F99C9E1311913590BBFCA6097D73857A8B9CFC3049184C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456639Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:49.031{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DCB716C00F6C3010080E79664C8A7C,SHA256=75A4E324A0F4C072683A204E8399778230E000D4C038691EADBD220EB04921C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401528Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:50.530{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFB04507069E2B929B749CBA0611B7E,SHA256=68620AE89A7A0BD69B9B8DDE3CCF99AD6E4B536EF68441C7EF87782D0B924644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456640Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:50.046{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A99500AC77EA7D25A34FAB79B34C0E1,SHA256=6369D61F3DDEC1968746E08D74A053AE4C673524FE88F3A912D19C406CA3C387,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401527Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:48.418{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54124-false10.0.1.12-8000- 23542300x8000000000000000401529Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:51.530{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85DBFAF9E68C058AB3CC5A2F97D030C5,SHA256=D169CC8835894C126D0C7965A1C182B541716701EC3BD9DE625B63BE78FC30C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456641Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:51.061{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E83886B3781D3624B34B0962A2C2DF,SHA256=EB812C0F55BF6F7DE9C63A88CAD131DCA04F15EF60E7C47B03D0CCE4DC2CB76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401530Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:52.530{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0674CE71793C6AA1FA4C61B46C3B4DD,SHA256=6C9A09D83D95E8BB5D200FC7D366825BF9C5111D38A91F360A62364194A63599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456642Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:52.077{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E53F072D34E063B0CC361D515B38A75,SHA256=EDEA20097267ECC6530427B49C078CCD7DDDDF674AF4F588D837D36E0A4B8B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401531Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:53.530{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0673EF001B30A69A7AE858E4B1D81475,SHA256=F570D37E1B347474F58EFF96781102651DC412190C43085B7FF673853CAB7536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456644Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:53.111{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6282BCBE0F43C5BF225DFB12A495B376,SHA256=3C6F674529EB8C53E662D888807856997A6D4840F96727C3E227968C171C6D91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456643Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:50.560{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000401533Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:54.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94757BD294F984F739EEB6BCA0032EF9,SHA256=B2C28A707F29B8FC49960A2410BA93E37144750771182A69F0FE3DE3123C62B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456645Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:54.125{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F0A9CCFB24033D966B1E78B63637458,SHA256=2B8D032CE516DCB542D4409181C46E442578C500E39D7D03DA229DDC212AAF11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401532Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:53.434{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54125-false10.0.1.12-8000- 23542300x8000000000000000401534Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:55.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0C3A5988A7F346CB5CAC30ED23FA9F,SHA256=0AFDE266EC68DAEE0E091780AD807A1C066775DD153C38FE4AED4185B0460CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456646Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:55.125{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C2128AF10B21F6A3BFDAC56F6417C8,SHA256=8C081B446919413ADD6E8FFFA86710C7E6C67EE0CB8968A0E27CB967155132FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401535Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:56.795{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CB4D6B9AE436D4AEB4299DFE59B879,SHA256=0D6DF7A70AC36B8A842FA903064FC0F6B5A8BBF0D203089823C76AD99A57CD61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456647Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:56.140{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634F4E6C0DCB51F71C287202E5E94144,SHA256=29664832CCA9F0347ACEB4664A3F1FC4AECDE34D51E5012679310CA8583CFC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401536Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:57.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35AB23C533E843928122C7F33A41BE28,SHA256=CEBDED0B461C36A7FDB62A717D3189D00544C034EC92E27C7DECFF9D77C2C33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456648Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:57.155{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA70EADD6F5ADB8604F5637C91479E03,SHA256=3B55E1C9A909708FE54597E7B3DE1A7290A27138FB2398263E72B60EBB09D4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401537Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:58.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E20464BCB23FE84E0C7069A623C90F,SHA256=FCED539764392E3591950CF03A89E9CCB064599E4310AC4493EB61BF2308E3DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456658Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:56.586{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001456657Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:58.854{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D52-60E3-9A0B-00000000D301}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456656Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:58.854{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456655Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:58.854{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456654Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:58.854{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456653Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:58.854{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456652Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:58.854{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0D52-60E3-9A0B-00000000D301}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456651Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:58.854{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D52-60E3-9A0B-00000000D301}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456650Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:58.854{D694AEB8-0D52-60E3-9A0B-00000000D301}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456649Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:58.172{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B78CD38943131119F71B04BF83A7331,SHA256=DEA783D18B0ED2835DCB84A947EFAACFF30B7C1FAA8C0A37330341191ECCB2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401538Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:59.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCCF104491010E778E13BAD2CC1AB88,SHA256=2E90405B22B5BFD6591E39A424B0A59ACB3E7C109A00ABF8AE19360FEFFB91C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456670Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:59.875{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDA46BFF128E2D6642CC9B08B1B53D54,SHA256=23FE7D31EBCAD41A3C625E2550713342D3459F96B56B0480556755C39A93517A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456669Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:59.873{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BBC85F5B796EB32BF3C866EDB12EE97,SHA256=460EECD83CC84EBE2B08570939469525F82D59622282E8A85EADFD44386EC9B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456668Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:59.523{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D53-60E3-9B0B-00000000D301}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456667Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456666Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456665Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456664Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:59.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456663Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:59.523{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0D53-60E3-9B0B-00000000D301}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456662Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:59.523{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D53-60E3-9B0B-00000000D301}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456661Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:59.523{D694AEB8-0D53-60E3-9B0B-00000000D301}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456660Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:59.191{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594E1B32BEF4B1AA5CA1BE59E0A3EAD5,SHA256=17547CC14A5FA0660FBF531EB1E10498928C3DB3E2D35A5C563AA2BF37EF89B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456659Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:46:59.023{D694AEB8-0D52-60E3-9A0B-00000000D301}49567120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000401539Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:00.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA2E5F7AFA82F33164A3CC586C3B7D4,SHA256=D99A554441312A1244CC06385C4148D936C05203E3EA981BD003651A24F51E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456679Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:00.222{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB77EB92754E61A3CA94936C19C90A1F,SHA256=957364BBA65A035AD6B1F7B079C7D03F2A7722ADF99CEBEA6CC489904BEC160B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456678Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:00.206{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D54-60E3-9C0B-00000000D301}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456677Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:00.206{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456676Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:00.206{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456675Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:00.206{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456674Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:00.206{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0D54-60E3-9C0B-00000000D301}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456673Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:00.206{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456672Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:00.206{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D54-60E3-9C0B-00000000D301}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456671Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:00.207{D694AEB8-0D54-60E3-9C0B-00000000D301}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401541Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:01.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534C850BB1510D36B4C7ABD09379C0B2,SHA256=9CD2F62624CE37CD6A8CB2C273652B22C06DB69811EEDABE55DA519830202C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456681Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:01.252{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479F64DEEB687E727403C1D4EECA9D9C,SHA256=BCF5FA8B6CA6E6EC69D804548198CA90361F62358FC27A30C3A0ADE2ACDDA6D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401540Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:46:59.419{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54126-false10.0.1.12-8000- 23542300x80000000000000001456680Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:01.237{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDA46BFF128E2D6642CC9B08B1B53D54,SHA256=23FE7D31EBCAD41A3C625E2550713342D3459F96B56B0480556755C39A93517A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401542Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:02.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8520EB88D4D0D42704747D948B7A90AE,SHA256=2D4E53037ABB9B3EEDE474C5773825FC9D4AA7D90D9D531D19A87A2F586DE736,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456691Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:02.635{D694AEB8-0D56-60E3-9D0B-00000000D301}49886184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456690Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:02.488{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D56-60E3-9D0B-00000000D301}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456689Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:02.488{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456688Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:02.488{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456687Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:02.488{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456686Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:02.488{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456685Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:02.488{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0D56-60E3-9D0B-00000000D301}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456684Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:02.488{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D56-60E3-9D0B-00000000D301}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456683Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:02.489{D694AEB8-0D56-60E3-9D0B-00000000D301}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456682Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:02.269{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAD17E95A0C6A4C9E4D0FD8C7A67B45,SHA256=91F80213C2075A9F74B21732DEDDE88E050CA028CDEFE3BDCC7E521B019162D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401543Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:03.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF64F38956EDE3BD5666C89B095641B,SHA256=BEB66E9F4A21549B809FE744FF44C23A7FE73AA55FB998A55A3353C37C4B57AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456711Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.950{D694AEB8-0D57-60E3-9F0B-00000000D301}9645356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456710Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.787{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D57-60E3-9F0B-00000000D301}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456709Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.787{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456708Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.787{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456707Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.787{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456706Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.787{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456705Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.787{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0D57-60E3-9F0B-00000000D301}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456704Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.787{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D57-60E3-9F0B-00000000D301}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456703Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.789{D694AEB8-0D57-60E3-9F0B-00000000D301}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456702Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.503{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88823D77510D417697D65B5C09937A07,SHA256=69F5A6ACA1A6CC480769252CD57259003325783E574A8E7FDEF9DF30F13063F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456701Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.288{D694AEB8-0D57-60E3-9E0B-00000000D301}60243108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001456700Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.288{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B158DF30CF813198CCEAB584AB64D8A7,SHA256=DCC35244EA72DBF55D09DC7A2C2DAA06A2552CF108D05F0F0AE237BF99C13556,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456699Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.151{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D57-60E3-9E0B-00000000D301}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456698Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.151{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456697Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.151{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456696Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.151{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456695Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.151{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456694Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.151{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0D57-60E3-9E0B-00000000D301}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456693Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.151{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D57-60E3-9E0B-00000000D301}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456692Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.152{D694AEB8-0D57-60E3-9E0B-00000000D301}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401544Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:04.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9B651719E25AEA1BDD500A1AFBC8C0,SHA256=5FFE3EB0117029B4538A87EF0B0756D3C2FBA4789E498297D147F999BDCC4155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456721Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:04.787{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5886EBB6AFE9E382D3465D08F4B3DCB3,SHA256=19E2F769F379B76ADC76DD63DCDF4CE1DABE79808079031B5393525451BDF819,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456720Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:04.403{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D58-60E3-A00B-00000000D301}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456719Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:04.403{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456718Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:04.403{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456717Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:04.403{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456716Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:04.403{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456715Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:04.403{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0D58-60E3-A00B-00000000D301}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456714Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:04.403{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D58-60E3-A00B-00000000D301}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456713Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:04.404{D694AEB8-0D58-60E3-A00B-00000000D301}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456712Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:04.303{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4AD52BDDD00E866A46B506786D001ED,SHA256=B73602B89C836FAD958AAC9B8095FC14E65C708339A04B2A3555E8E52D2B2EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401545Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:05.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB91AA710C8FF22F6B59E691D2836521,SHA256=0EBE749B9104F3CB5264CB0837717389F322468FD85A466168B0159105A18D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456723Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:05.318{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1DBF0C7E94C930BE16AD3726247317,SHA256=31FAF7ED1478FA024AABA6033A8A288AA416B377D363130B7BD0456304D4247F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456722Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:02.597{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000401546Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:06.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812DE2C2A832987A3A9977B4CBDC6626,SHA256=EE1B180FD213B0F461061B40AD3590142FA90D85A1C2E1E855AA3D4DA8686A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456726Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:06.349{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527A0980BD99C854A055A925CEFC84BE,SHA256=3101CFB92C37704290FFAF8A7F7012486490FC4960DBD8AB1E4742B10DD71FE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456725Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.497{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61167-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001456724Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:03.497{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61167-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x8000000000000000401548Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:07.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE42CD0156CFA7F0F7F2C075CC6E5B15,SHA256=6AFBD261F73352C19DC35E3FDEE3DEF0DB12DF07AC536D3AA8BE31CD686B4300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456727Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:07.351{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C56BAE082F5D69BFC77395F7A6B5813,SHA256=A2D728BCDF8133F4922A7BA4C66F84FA861EE7499AC4966483496BDF6AC8B2CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401547Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:05.403{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54127-false10.0.1.12-8000- 23542300x8000000000000000401549Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:08.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834ABDFC4858A558371C06A2B76DD394,SHA256=E7253C5FD7DC3EF21BDB4D9DE48DAAA9DC6B49C110722A31B622B67C23F4B7D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456728Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:08.368{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EF8EF626B7DA50330B931D7E21602C,SHA256=5D2F80E45D0AB95912F017A4B6A561790B0CCCC772405A6F85EB19B69E271217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401550Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:09.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2342ECFF1149DC56CF00E7AFB19D2E,SHA256=09E4823952FF8D920614CA64B22A6834562ED13E2BE45B9EBA518F8C52A8DC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456729Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:09.402{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3491E7FF6435CB72A32CDAD86649728,SHA256=640252D5D5A02E403B7BEEDAFE3134D0E3FD3A84AF7C3370BF9F27139F809F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401551Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:10.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1738690F37E8F59947EC608AED35CF1C,SHA256=6517B700AC5D298B0D4FD3C1E35926276D62ADACCBCE8082E3AD4081C2329BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456730Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:10.432{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75310AF2C136801717CD10B1B04BE405,SHA256=B5274FA4C82AB2DA7FF7E79E6C1C90E1C38FE104036A4C29BA497F5C96D38190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456732Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:11.447{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF3961180BDC68A72643F17FF08DA5F,SHA256=98E1D1033A3DB2F6071D3E945DE558BD6E84AE0A3AF22D3D1AC823B651246B87,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456731Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:08.611{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456733Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:12.464{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C43A1C12726508FF1192973DCB34A35,SHA256=C868C7CC3A019B3AE60DE5D31E26997C0B58208DA7CB792582873B3A1B55094B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401552Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:12.139{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C94C440796E0E604CF548A1172C7BA,SHA256=24A7A22A6CE8BA70839B2B80C536D6C9D864DC792DC519077A3FA1A9417FE807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456734Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:13.483{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4A3FA1ED2656C869CFAE01738D70F6,SHA256=F001FB579606EDC0FE229A47A0BCA78A054571196DFD00E41A2D7BC79F051A8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401554Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:11.403{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54128-false10.0.1.12-8000- 23542300x8000000000000000401553Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:13.155{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AA01D0B0222B3885FA122C0E30F926,SHA256=25618ECCB33B62E089690AA3B0F9E24BCB99FFC9DBCDBAF715F48969A0945DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401555Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:14.155{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE0CDDAFA9FD35E6C1FFFD4D5F6E1F0,SHA256=2A67881978A6C5F42B8B8026E9A101DD3AED09EA3ABAA0E739283AD7806BB403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456736Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:14.662{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=CF986AD52421B559A4B3C6A30EF03669,SHA256=B499F773A781AE487C3BA5F2439F4CC9E17A74FCD60EDFEA3E4237C6F6E328F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456735Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:14.513{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189B95FB9011540F0C963C0525D2CA06,SHA256=7817005E7F9F21FB3EAA07127FECDE5E4E21789FFB189F04AE91D9664FD15C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456737Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:15.528{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06B29548F42686C0DA03566590A376C,SHA256=99906A5D8B97FC1DAF9063D8C5A82C364B03DD2166CF80FC5C68B298D915E659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401556Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:15.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7570B278650EE7590E613E88B54A283D,SHA256=E099506296C01DF4AA58965A2E33F67A73E0D7CA31619EA16800AD96362BECEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456739Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:16.543{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F940E6566E9C97B05FC16A948AF0D3C,SHA256=295238B1C76DE9BE18F7701D7A4685F202E791AD0427A71EE2AF6CA2CC19DA01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401557Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:16.186{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C365DBF18D6EC0ABDF1E9291F70757,SHA256=F335CD89420BCCBF2B3ABBB64370D41CC1ACEEABEA02027E6AA0DDFAFD799B03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456738Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:14.607{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456740Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:17.560{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52005589BA83350F40B258F7CA68E2C8,SHA256=98F61C9A5DD8553700168DF9A0594537FE0C9402DB41E9385E9AF3A415E7F0A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401559Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:16.465{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54129-false10.0.1.12-8000- 23542300x8000000000000000401558Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:17.186{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B28EAC6179FA56FD52F571DCFBA142,SHA256=04E2AC1A9C7CE1E14C50A834D996BFD41A67F8EF37670D1159C48A2F06CD5819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456741Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:18.594{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A48B44D09EF6ECB8B8B80959697ADF,SHA256=38C33AEA0246006A0D4DD641FC1780D5BD86284ADAAF24C3E40CBA7F95A117FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401560Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:18.202{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1042D21E930641E5C33DDA623BEEABA,SHA256=CD85C65454099A090267ACC3E000D0CE8C5CD9112C3B3C7D6EA6B8FF72DEA6C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456742Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:19.608{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83B2C83D90FFF39B36F1DA02E46A57B,SHA256=490748393B0F3F15202895C6A23FE42B8821B07E2613F874926E680FD260977D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401561Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:19.202{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34552A12ABB53BDA4367151768A76878,SHA256=00F372DB18A5042D2D6D60127DCCD49FB9CC7FDA3B86AA13FB2514FD8ACAAB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456743Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:20.623{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFB98F9006909A27D7A1A7EAEE60D90,SHA256=8274682F71AFF1F6E08C1D422B864307998C11C1B596DBA92BBC8859ADAB95D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401562Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:20.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E7117C29B83BB6BBD100DDB644678EF,SHA256=06B302015A7FCFF99D512A1953BC95EB6E8850B7CF341CB5E07046D914DA43F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456744Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:21.637{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BCD00F611B8232442FAB5D229FA66D,SHA256=4893874166E3D586BB05FA5467D473AE6C8D27CEE99F41104B552BD3B1403CAC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000401564Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:47:21.655{7F1C7D0B-B3E4-60E2-1500-00000000D401}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a4-0x475cba1d) 23542300x8000000000000000401563Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:21.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EEA52E7265ED0F61495D05A00A7612,SHA256=CABC5B38224E525D719FB51BC2B44C9E88B20375A4253FC551D01ED719A81D51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456747Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:22.753{D694AEB8-B3EA-60E2-0D00-00000000D301}9166936C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001456746Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:20.600{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456745Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:22.657{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7345DD8254D770B93288ABCAA2D3C48A,SHA256=0F98763106A19DD1924A17E6EBF0F2E8B2624692E6D5931C7386029CFF6510E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401565Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:22.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C91AD25EC1C3D05EB5F5DE30C1DF2D4,SHA256=C36E2B98F330C7A1E43AEFCB086C2763E76362D45480ECB2033B335FD475DCB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456748Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:23.673{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6BE1ACDCFBBC80CCD170B4B160A338,SHA256=E56C3F827276CAAE67AF22CADA3C50FDE506FA4D865CD013A5418759792C5766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401566Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:23.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569FF17A3E2DBC06B3F870E5C0336CCA,SHA256=E17C61FAEFF5415BE942DA85087202178C5EBCD125E1CD3854BF34F30CB75F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456749Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:24.688{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3350CEDAF1E9C9F0F687C5D896DBF1B,SHA256=3E6C364917491CC9BEC5E32397150AFEB95755EE1D580131602713BEFC4FCCD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401568Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:24.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C614B34A08C82D53556C268193DA9FB,SHA256=1C4B72403163CC03B784D76BAEB0AE24FFA0DFE8197DFD1B604DFA15E0ACB939,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401567Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:22.481{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54130-false10.0.1.12-8000- 23542300x80000000000000001456750Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:25.702{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3890E317563D80F10AD77F29E567469D,SHA256=A66B5644E242D8DF986B981593363EEA55071A5F3B79D8E7FD087436F77C4947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401569Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:25.248{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3955AE037C22304839E8DE0C49555FB,SHA256=C9BE63FE41FFB419876675F415E2E35F2371C6F88F4CE047CEEAD50E4B113177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456751Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:26.717{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2398D7AB7F449547EAADD3026F92D0,SHA256=893E78E3662FA6BB97C6D316E6384E16AB2A57389B22D5F98629B272CAD2CDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401571Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:26.405{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F1AEE5FE01F1A35645859698595E7180,SHA256=715746CE633F1B54474B68F7F87DDFEEF61C8FE1A1AD53400A194A1C44853582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401570Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:26.248{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0607FD01C5103E1700D78343F2C485,SHA256=4817FBF6F23956F21C7806A9B2F0E9894C1A29CF444DE5AD61A3D02086C1669D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456752Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:27.731{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D41BC0BD9CAED356C2A24FDBB852B5F,SHA256=B04B8F22302B850E66E75ADBB598C4A9E6C868C5FD27400DE789C72AD746F081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401572Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:27.248{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7146C6F0C763C5BD5184E6CF2DA0CD8C,SHA256=3E7A575AD4B25E09B6100D8D51FCC114432DA4C6B92B1AFFD6B3FFA0B5276454,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456754Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:26.594{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456753Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:28.748{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6E5E11858F83D92E562445AA160773,SHA256=4A426E1461A9C554C87A857947E8721593B7D6BCBB7A7D5EF32AE228AFFB6A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401576Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:28.248{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF0139E82F6D89171633E93566CF42B,SHA256=2379194211479D034BE936B3601CBB4D62092DC3BF6B8B992E18305018BF32F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401575Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:28.248{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401574Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:28.248{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401573Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:28.248{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001456755Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:29.797{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7FB44823CE09FB8C55B7C69D1C385F,SHA256=507A4060D018964EC1D37BD1F59301D80B0D91C0CCCACAA8C68E34360038F6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401577Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:29.264{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDCEBC2E2BF862AC80FE729ADE2AC41,SHA256=8CA63A481EF07B17C67FFD8B02C3A2FC30A15E1839F5C89B3D9BE0E8660AACD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456757Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:30.927{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456756Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:30.811{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13F29286FD6EC9FC4141C8219D9299E,SHA256=EAF8010AEA129F4501F1F498D113B19EC239D1716893309EC31000FECF984EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401581Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:30.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80434EF7AFDBB6D3FC7B97432305B247,SHA256=9FCEFD1BB38AA2C7F0D92CE8587FEE29AAAA7C020C01EB84F5AAA00488CA9DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401580Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:30.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5750130EC25D8444FE1E91AE5CD4AC55,SHA256=5BF9DEA50DA97D04ECFE0BB8A738D86F0203B371D2B61D993FC1761B3FA882D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401579Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:30.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9FAB469EE32FEA9DF1C7142345F5AA,SHA256=EEE53B34EE89D4ED1DCFA0DA43076A4B2FEEB14ABE16253569CF1477B6640547,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401578Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:28.247{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54131-false10.0.1.12-8000- 23542300x80000000000000001456758Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:31.846{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC14003FAB6F578752687D4AC7E240F7,SHA256=A7BCE560EBDBA62ADBFD55AC43DE1899D68228F3C504B913700D1710CBB22D07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401584Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:31.545{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401583Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:31.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA14B5A0CC3D059313C54397E92DC207,SHA256=CEBB1370DD92B42D074C44F5A39614323962DDB820FCB39078AC9DF3F2855855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401582Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:29.611{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-57367-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001456759Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:32.862{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D9CE5C96A39CA92759BD2325C5199F,SHA256=9BE250DCFE6FF262051C9E7D4CA64B6822AB0BF465BE9526C75B664EDEEBBE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401585Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:32.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7400CA6D307229E6765328ABA6D2CCF5,SHA256=25CB8BC41C6CABC0E96D23C97BAA71E72C03AADF9DAA0E74316808D4ABC0CFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456761Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:33.876{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CA82DB15CF1D1FA57B9E981DC0750E,SHA256=F6E5203246622300027FDA9BD7AA267C2919E15A3EAF7CCBE5E06521FCB0747D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401587Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:33.295{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE917AC07E7230EDD18A0799D91C0FC,SHA256=7042CC1E24D927CF25ADB9FE758125DA9D464FD503C5CC608D9CD71E44F3CD72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456760Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:30.358{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000401586Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:31.747{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54132-false10.0.1.12-8089- 23542300x80000000000000001456764Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:34.891{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8855BDFF39DF61688357BF2C5667C0D,SHA256=512D0A0A96A2638175951A19392F42E79121E09D25FE61A6E4C467C9FCE87900,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401602Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.561{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D76-60E3-090B-00000000D401}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401601Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401600Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401599Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401598Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401597Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401596Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401595Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401594Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401593Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401592Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.561{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0D76-60E3-090B-00000000D401}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401591Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.561{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D76-60E3-090B-00000000D401}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401590Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.561{7F1C7D0B-0D76-60E3-090B-00000000D401}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401589Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:34.295{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AEBE4815AB0990F40321AA44852A43,SHA256=89F64FCEC9BC83C6B950532C9C0E3EEF545FE0AE0BF2EEB4F53286E74C97B483,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456763Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:32.608{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456762Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:34.107{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2454E789C51BADC7A61BDCC74D59637C,SHA256=D0831DD9C63A3DA9924F5DC2860D9AC0784AA5D1B537931F4BF2C86AAE99C7C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401588Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:33.263{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54133-false10.0.1.12-8000- 23542300x80000000000000001456765Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:35.905{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079C9C8B03146092E0B98AF0360086BB,SHA256=DBDBB826D2B10CE1A264C46719AC6B44EE1E90662BAA6BB89706B055BA8C159A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401631Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4BECE483CE364231986A0D37D17A0B,SHA256=C54F969F4C35D114BADDD2F15920A605756A101AE66293F4CD99B1ABEA5A8492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401630Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80434EF7AFDBB6D3FC7B97432305B247,SHA256=9FCEFD1BB38AA2C7F0D92CE8587FEE29AAAA7C020C01EB84F5AAA00488CA9DC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401629Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.733{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D77-60E3-0B0B-00000000D401}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401628Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401627Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401626Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401625Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401624Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401623Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401622Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401621Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401620Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.733{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0D77-60E3-0B0B-00000000D401}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401619Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401618Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.733{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D77-60E3-0B0B-00000000D401}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401617Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.733{7F1C7D0B-0D77-60E3-0B0B-00000000D401}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000401616Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.264{7F1C7D0B-0D77-60E3-0A0B-00000000D401}8883004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401615Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.061{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D77-60E3-0A0B-00000000D401}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401614Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401613Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401612Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401611Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401610Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401609Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401608Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401607Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401606Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401605Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.061{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0D77-60E3-0A0B-00000000D401}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401604Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.061{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D77-60E3-0A0B-00000000D401}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401603Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:35.062{7F1C7D0B-0D77-60E3-0A0B-00000000D401}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456766Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:36.920{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C435A07F7F04F1AC827491DF8291346,SHA256=1184E9972C1EA56E7CE293D74707597F43D0BA73DE9B80E5B3ED3A48C8F980D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401633Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:36.780{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDE15CE1DD8BAC16CC70E0904FE8A3C5,SHA256=DE8254E47B1C2F0FFE0DC09CBC126296D86CD7483093FFB39F3B3FACEB03366A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401632Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:36.733{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3C6B07C87ADAC93D6D73ED4BC33C12,SHA256=DEA1B78DCEC5F4EC948BD75C7672D04E72AC012754CF3D9EE0172BE0599904D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456767Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:37.937{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DEAB5244160DB89DCE9865AC100584,SHA256=F248CC6712C0E049B7463B35F0B26234A6698FEEA18DE0004676582DB5AF07CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401634Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:37.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58926C9B8F5D7B281BB2765712FFF147,SHA256=EBFFE52F674B69DF3E415F56769987A760AAB9E3EA30FB4957114041E13CEEA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456768Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:38.954{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E2C65D46315D2AA389C627E08B9AD1,SHA256=58E31B0D0E959187835F45B3237B819B0DFCA589D0574C6F03192E446369B6A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401635Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:38.795{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0DD3BEB7C7B4DA69F2A371D0C2E409,SHA256=B0F9C6C3E6E6A26092638516E43D346429D9E7B23551369A33F3E88747F714B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456769Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:39.969{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7222DEDABBD689DA1A228F8133879349,SHA256=CD39457ABFF87E7C4FDF35A1A3FEA5DE9FF8CF48993F3CB7582B489502C4385A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401664Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.873{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D7B-60E3-0D0B-00000000D401}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401663Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401662Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401661Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401660Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401659Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401658Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401657Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401656Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401655Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401654Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.873{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0D7B-60E3-0D0B-00000000D401}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401653Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.873{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D7B-60E3-0D0B-00000000D401}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401652Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.874{7F1C7D0B-0D7B-60E3-0D0B-00000000D401}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401651Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8001BF96DC90F67238D7D5C533E4BA00,SHA256=42172E29AD4197E26836DCF4F259B7B6823FA87DFD4DC9FA48D1E95530257CDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401650Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:38.294{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54134-false10.0.1.12-8000- 10341000x8000000000000000401649Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.389{7F1C7D0B-0D7B-60E3-0C0B-00000000D401}12962276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401648Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.201{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D7B-60E3-0C0B-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401647Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401646Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401645Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401644Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401643Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401642Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401641Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401640Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401639Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401638Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.201{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0D7B-60E3-0C0B-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401637Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.201{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D7B-60E3-0C0B-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401636Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:39.202{7F1C7D0B-0D7B-60E3-0C0B-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401681Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A7E1FC02ED4F23D5F351693FD7DE60,SHA256=739139DF6C2119E752FE8BFEC82027EFC177488E560E67B7E80ADA07E994FEC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401680Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.764{7F1C7D0B-0D7C-60E3-0E0B-00000000D401}968592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401679Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.498{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D7C-60E3-0E0B-00000000D401}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401678Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.498{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401677Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.498{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401676Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.498{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401675Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.498{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401674Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.498{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401673Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.498{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401672Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.498{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401671Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.498{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401670Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.498{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401669Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.498{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0D7C-60E3-0E0B-00000000D401}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401668Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.498{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D7C-60E3-0E0B-00000000D401}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401667Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.499{7F1C7D0B-0D7C-60E3-0E0B-00000000D401}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401666Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C110D55D73FF434F7CF701BD860C7D3,SHA256=702E4B061FA160E5F203DE87020E5AAA45CD05EAC9CE56D3C064F12DAA4AF92E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401665Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.061{7F1C7D0B-0D7B-60E3-0D0B-00000000D401}14884056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000401696Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:41.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10088D569833F541C1CFC473F6D05B5B,SHA256=A75650752693E3D73EE67CFF2AB0541B5CA69A3800BC85F83219E813C3205B9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456771Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:38.616{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456770Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:40.999{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A88C4006AA737561374C103972F6C5B,SHA256=01476E2888DB01A6D4852E0C726057DC41932BE86FF21DCF8DE61906DA35A5E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401695Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:41.623{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E14A0055D8B7B374B7CABBABDB11CA35,SHA256=EAD88A66F96A2418FF1EA37959955F94F3DF76870A432CE575954E295DBDDC04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401694Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.998{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0D7C-60E3-0F0B-00000000D401}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401693Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.998{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401692Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.998{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401691Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.998{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401690Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.998{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401689Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.998{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401688Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.998{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401687Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.998{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401686Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.998{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0D7C-60E3-0F0B-00000000D401}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401685Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.998{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401684Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.998{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401683Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.998{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0D7C-60E3-0F0B-00000000D401}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401682Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:40.999{7F1C7D0B-0D7C-60E3-0F0B-00000000D401}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401697Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:42.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA8DEA02521E1C7DDE5CA60A8135CB6,SHA256=F62A0B191D04336C433555B899EF7E1EEE0E05AFFE86B39B6C2F5500BE7607C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456772Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:42.035{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D3EBC8B4B22053BC9A2C6D3F512715,SHA256=8AC55BE023B69152070547F6764BB7FB68FDBBECD895B11E3661530D460940B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401698Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:43.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EEB103351000E7DBA257BA0FAECD76,SHA256=4E86ED246B3A67A72E76F3A279B2DB545EADE1F4766C35D0ABE2EE99EDD5E97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456773Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:43.049{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12776CF9A66C197A4885234C4634E557,SHA256=44FB940E4317A87F6E4BB3D2A8506F9977CCF14C141A58963DF4572A54150368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401699Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:44.967{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D00EB1BCA5ED7C9E846DDD49777653D,SHA256=473F1F14797F2DB84E7B934DD4624AAF341FC8CF1A97115C10D71A8B3BB46961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456774Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:44.079{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BEB2129C54D33CE44A46D0F1EFD654,SHA256=C5FECAFDBAC7C54EFE8A98D60E5934912FF4D39560990E89596FFF6D43E5068D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401701Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:45.967{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2F087DE801A560DC7C5DAD229F93D4,SHA256=2EC9DB0C91E20F69E06DA66D45341864954949C157407C832BD506BB01D323EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456775Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:45.094{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F88762D450087DDC80AC7DE1DC9A39,SHA256=EBBA9FB05FBF4F0C5638A0A8324D2230F3EE642A877BD2B56D231A26E14D6924,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401700Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:44.295{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54135-false10.0.1.12-8000- 23542300x8000000000000000401702Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:46.969{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34DC396365C9D520C593CC8C2C578C6,SHA256=C8431D8270062104A89A65838C793F4359513A8D3C39E554F2D7CDCDEA97C8C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456776Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:46.108{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D579E63B0AAA75313FAD9163C0683E25,SHA256=D2643980C4CD0E29FFB041EEAB1C98C6FACB0A0694BDFC9ED876165E5B9AF8BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401703Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:47.980{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8015F96CD111FCE45ADFEC9C03161A31,SHA256=4538F88E4BF6DC805F6BD19367819B24B521BFD2FA8966A2563FE47CB14485AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456778Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:44.624{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456777Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:47.126{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D868500892A2D0511D6B8B82F1D911,SHA256=4E2C85BC15AD9F46EB07E165F27990C93C8D993D9E9F3E8486E70B09C570A16A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401706Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:48.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61EB77E4376E801177034F7C0AC21DB,SHA256=B32C0240A574E265A27E973F54EBD3B8C6DE05FB562DD18C40716519843B369C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456779Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:48.159{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7855C254FF0D7203E26FE4A8DA061B58,SHA256=4E2B6ECAFDFE5047AE6EEB3C642B8AA97DC9D7D2C3B5E0434C46FE655A3D4F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401705Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:48.605{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F97BEBE1BA968C386F40691BF88D5CB5,SHA256=D6C70122DC4851F00ECF9CA35956A0C5353B8BEDAD03099CCE20B362C3966B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401704Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:48.605{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D18C6AA6D6B3D15D4B9069ABE0FF8EBD,SHA256=EE14DBE4D4C11A5AB2A12B1A75B86701B926B4112781A1699BD952E626B3C9BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401708Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:49.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAD9DBD1B0F5943CA2010F90CA03593,SHA256=E45CA28A4B66F4FFA22F620CA1C41F6A77C86E35EF17A6FD8C18D6FF255832DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456780Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:49.174{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571C9E0CCF69635626E4DA0C7CE9BA31,SHA256=3A277619A18EBF7860F0047B782DB7B580898D1F2EC53E92027CDA061F5FFCCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401707Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:46.970{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-49695-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 10341000x80000000000000001456784Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:50.472{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456783Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:50.472{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456782Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:50.472{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001456781Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:50.188{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECF0551D9C388D81086667EAE85B6EF,SHA256=343C554513BCFE81E720C9AD557E56BA8CC74648EA2B721CC95359209028D958,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401710Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:49.294{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54136-false10.0.1.12-8000- 23542300x8000000000000000401709Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:50.998{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A8E3F95020F9794F3F64AEA930B23C,SHA256=7491A0FEC9628A5AD21BC0C0169F10336E5D9279D7E97CFD49B368E0CAA69EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456785Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:51.224{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012F947A434975F04083457F5B68A580,SHA256=05DEDE2848128D4B489C40D5394DDA81C8D9E09CCFCC14DB91EAAA5DDB0EB5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401711Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:52.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED7048CF2E04B42812E29EDCDFAE00F,SHA256=8AFFD096A6EC94660F3BC808B26CC305DD51FD0974C9AFEE7159F872492B8274,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456787Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:50.603{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456786Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:52.240{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748EEB95A3D0EAAA78FB5B302C128157,SHA256=330E0E51016504FE9118CC47AEC01716CE55A07984E53FEBEE6E18A91DDFB356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401712Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:53.248{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C304296B91AF5C93848F2D8F17DD815A,SHA256=827FC9D03A9693E0A0549168172F8BCED4E0A1302755579ABFFB5A7547DF6788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456788Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:53.255{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5F0A4E0134FAB786672A44EAC51DE6,SHA256=9D93C97570A95D368C990A8228A21CAF9994D7C611E0EBCF7D443DF7657CEFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401713Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:54.373{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A349258627914D2EAC5352B3A417CCD9,SHA256=44A7414AA319F7912A9E27BB96510E13254D29F221E03AB58EC56D1309D7ACDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456789Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:54.269{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EAC95C77D96873FB86BA2BCCD0AAF96,SHA256=78C813E4DB3B5CC65850357762185F94A02ECD857855B3F9E8640735DCA94534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456790Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:55.283{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0BA9C6DB39B43F0CB06E3349EBA3E39,SHA256=3801FE661620D625F38C5EFA5DFC31A403F5611BA2D5CF6B422040560A157688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401714Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:55.373{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EDC7BA8BF76C230ED6D02802B591DE,SHA256=2483B44C40A294CB3CCDAF45AE4951739C46DBEBCA7FC7518B448CCE62AA6A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401715Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:56.373{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CCB7B7B8A1F589F956703EEB911626,SHA256=10B14B41550441D2EA89AC74DB60643EA905B20BBCC8167D8F2DB9455AAF2B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456791Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:56.298{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30FC339156E274F325B2775532C722F,SHA256=4FC7F99433AB2E50C8EC706328561D33DCDF23E5B9149E7E43C88B885A096B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401717Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:57.373{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D1AE53159265BF7B3950621068C2D5,SHA256=6F1E5D24E5ACED5521BC41A5765C189E0324D6A21C4704B6C42C1EA9DC6073D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456792Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:57.334{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82AA49FB5DD9D3D2C53754DEEEBD04B0,SHA256=E517455C2FE4AEE12EF5EF27AF82AF4B8CE6C85C34CCEC8504DAE42470441E15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401716Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:55.325{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54137-false10.0.1.12-8000- 23542300x8000000000000000401718Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:58.373{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE5E546F8328201A34A9D0D245B7133,SHA256=E23586E46F2E3B6C5E2870D2D178537159E78169EFD64BB9D7F41FCF8A45BE9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456802Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:58.848{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D8E-60E3-A10B-00000000D301}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456801Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:58.848{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456800Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:58.848{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456799Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:58.848{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456798Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:58.848{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456797Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:58.848{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0D8E-60E3-A10B-00000000D301}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456796Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:58.848{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D8E-60E3-A10B-00000000D301}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456795Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:58.849{D694AEB8-0D8E-60E3-A10B-00000000D301}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001456794Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:56.597{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456793Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:58.349{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2DD0D70275870FDEAA8D21016A54F3F,SHA256=5017B36A2AF8D951E626E240E581E1067845BB2CFB98354AD4E79A3AE63A6890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401719Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:47:59.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF20D3794809919F079647193B0B219D,SHA256=7E50E645EF21885D5FA21387B2B36E525FF4FBDFC68F2EB55E3E9375D9812C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456813Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:59.864{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F1F4609330C086F7299475844A5B75D,SHA256=096CBDE577ADDA76E0DF807D44F348F094DB82B3189E28A56C55A02607EAB64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456812Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:59.864{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=674A7D0836D572806867E6C813D099C0,SHA256=234BD259C4E75393260FCE2DAA9D25881AB5F261AEA2D26F1A6237BF32CF7453,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456811Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:59.432{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D8F-60E3-A20B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456810Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:59.432{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456809Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:59.432{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456808Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:59.432{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456807Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:59.432{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456806Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:59.432{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0D8F-60E3-A20B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456805Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:59.432{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D8F-60E3-A20B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456804Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:59.432{D694AEB8-0D8F-60E3-A20B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456803Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:47:59.363{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2992C8C54358160A8DDCE0B7AA8D3CA4,SHA256=0F21C056885C80B2A3BBE41DBA80FF22FA17D97710CBED29845D5AD32E75422B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401720Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:00.436{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EE10AC753F7D5FD4E812A87B41D976,SHA256=1C403376D72C0CFF82BAC3AB20A172BB5372887A84F2E3395E1495AF095647C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456823Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:00.363{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DE3FA90D004D7E9C4A8B1A4E68F4C6,SHA256=AB5E13FB657CEDDF407E29FC98D05518B1F010FA6C8A2DE672D5D15CC69DE6BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456822Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:00.248{D694AEB8-0D90-60E3-A30B-00000000D301}69165208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456821Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:00.095{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D90-60E3-A30B-00000000D301}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456820Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:00.095{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456819Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:00.095{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456818Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:00.095{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456817Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:00.095{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456816Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:00.095{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0D90-60E3-A30B-00000000D301}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456815Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:00.095{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D90-60E3-A30B-00000000D301}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456814Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:00.096{D694AEB8-0D90-60E3-A30B-00000000D301}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401721Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:01.467{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A58A79F91678BCA222D78552AC5DDBB,SHA256=15D4A73517B842A887FCDBB33740C496E56214036509C728774B863897AE47AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456825Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:01.378{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191A9F48CF5BA20D1152D823354BA3BC,SHA256=B3FC828FFCC8D8FFC1477050CA684A57819AC62EA1808A26900A7F1ABF0B7CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456824Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:01.131{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F1F4609330C086F7299475844A5B75D,SHA256=096CBDE577ADDA76E0DF807D44F348F094DB82B3189E28A56C55A02607EAB64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401723Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:02.576{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E25A2ED63B9FE1F4C376C7D303A7947,SHA256=8FDA0FEC763E3FE7F570670121F98382BCBE43ADF44A8ACB1862684F91CBCE85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456835Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:02.629{D694AEB8-0D92-60E3-A40B-00000000D301}54405396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456834Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:02.492{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D92-60E3-A40B-00000000D301}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456833Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:02.492{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456832Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:02.492{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456831Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:02.492{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456830Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:02.492{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456829Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:02.492{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0D92-60E3-A40B-00000000D301}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456828Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:02.492{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D92-60E3-A40B-00000000D301}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456827Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:02.493{D694AEB8-0D92-60E3-A40B-00000000D301}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456826Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:02.392{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6BB3AC299A2E3F673BB77EA9802449,SHA256=2EA836136C6DD7AD6A9D649F24CFA65EFDD0F585D2970B6517A108F1BE166B11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401722Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:01.341{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54138-false10.0.1.12-8000- 23542300x8000000000000000401724Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:03.576{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067AA4335C784A7CE9ACD8DD76A581AA,SHA256=D7155311FF500E1CF9A1751480375D9A54F4F90197FDDFBBA34C2F350F055FEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456854Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.829{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D93-60E3-A60B-00000000D301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456853Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.829{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456852Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.829{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456851Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.829{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456850Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.829{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456849Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.829{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0D93-60E3-A60B-00000000D301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456848Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.829{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D93-60E3-A60B-00000000D301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456847Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.830{D694AEB8-0D93-60E3-A60B-00000000D301}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456846Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.511{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D934AF078CDBFF6F9D68BAF36175EF73,SHA256=B53247A252469F378AB8BCAA70AD654B797D8E472FA90456D3B9844F1513285B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456845Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.414{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C5AE11FA4A7D94512C3E05BAAF92E4,SHA256=013F071B53A799D6C12852FE7E8F1D5DE816B96DF04381A24C19E74180E01DCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456844Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.314{D694AEB8-0D93-60E3-A50B-00000000D301}48242180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456843Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.160{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D93-60E3-A50B-00000000D301}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456842Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.160{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456841Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.160{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456840Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.160{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456839Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.160{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456838Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.160{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0D93-60E3-A50B-00000000D301}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456837Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.160{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D93-60E3-A50B-00000000D301}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456836Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.161{D694AEB8-0D93-60E3-A50B-00000000D301}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401725Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:04.592{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3440596C293C381E5B510431782FA7F7,SHA256=2F94914460D8FD28529FBA1587D8FC0D1D1FB44E9AE3F394D046BDAB178E9E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456865Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:04.846{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5691EF59D1BB682E7F83616AE086C536,SHA256=B630FC81D4447E7F9C49F8435A83AD1FF7E5F3AAA00D301607DF44BF7684967E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456864Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:04.609{D694AEB8-0D94-60E3-A70B-00000000D301}53603524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456863Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:04.454{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0D94-60E3-A70B-00000000D301}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456862Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:04.454{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456861Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:04.454{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456860Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:04.454{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456859Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:04.454{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456858Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:04.454{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0D94-60E3-A70B-00000000D301}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456857Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:04.454{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0D94-60E3-A70B-00000000D301}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456856Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:04.455{D694AEB8-0D94-60E3-A70B-00000000D301}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456855Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:04.430{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15ECC0F74D6881B4DC5A7B1F72048DCF,SHA256=7E9E4628164EDC860ECD8ACBE30C2AB779BA19C1D2BC50FFB56F7A9A69EEAC84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401726Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:05.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517CA210D472112DBB4D78438132BFB3,SHA256=5F9A09DA07CC06FF186F7E529C434E6F00E99F20A4FBA8887B85561DE92B8551,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456869Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.507{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61180-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001456868Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:03.507{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61180-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001456867Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:02.625{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456866Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:05.445{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022E49AE18E28D40C2E879D28260C7E9,SHA256=E970C19E810A965BEA259FF4AC32C0893761B73821A1487F8E0AA862481DB894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401727Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:06.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051EC066CB11E6D2031F6D1093A2FB4B,SHA256=FEA032167C4181FB9FE5DD511CD59124E548729DA62EBCA1CC85268FCA8A4340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456870Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:06.460{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF77DEC182B83766B13C23376B039D49,SHA256=7B12605F591C85C6C4AE756A95880B4A43609DCE0065A35680B9845B094B153E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401728Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:07.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E570794D48D14A1E01246D016CFB798B,SHA256=E1894EA1B0EAF631C07CBE43E68E6F51A41852A917C2F3A7DF520DC21BA6DCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456871Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:07.474{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0068EEBA9817EFAC3CD54C39910598C,SHA256=465CCA88DC62C34D00101DDD7BB5CEABBE0D0F3B7D1AB1EAA2F6E9EEE7200134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401730Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:08.904{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD719F3A4787EAC26CA03E5970B614C,SHA256=53BCDBDC1285CC6B268EA7776F489A8082CE01C415A6B638D43F89DADBB86341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456872Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:08.489{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0909A5C15BDDCED87E319C67E1EF4C7D,SHA256=C551402B53B64878C005E204E0805CB465E9BB3531A41ABFD35BC01D78423727,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401729Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:06.357{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54139-false10.0.1.12-8000- 23542300x8000000000000000401731Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:09.904{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44C1F32EF2E0BD60BBCB40D41794D03,SHA256=ED34F01F53BDDA09D33E7EFF87EAF17DAA1F1B25B94F1714CBB524388A8E24DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456873Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:09.505{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38987BFD5376CF779D6F2163070FABF0,SHA256=76A8AFE460235F1A24C1683DFF91301E47B7FA762F4ED871DD7D501E6CB95B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401732Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:10.967{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A9EE6DBBE260944EE271F49EBC51EB,SHA256=1C1CEA77E5C0713DB8D13FCEE9CE426B65C59FC23F83A9FB29022D67824C32A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456875Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:10.525{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7BE1905AB2148A342E5BB151997277,SHA256=5632846B98A58799F3BE8A1DFD99497BF9324E3D5D4A52CB62090B9B770A2A21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456874Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:07.636{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000401733Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:11.967{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EA1306B2CC9AB9B31382A681AB1F6C,SHA256=D4F3484F90845EE801025B264B0C52CF56FD11CDEAD985B63F5FD6AB4173D737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456876Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:11.540{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB62DDCD60C484DB7E77F2178BDDA681,SHA256=E70FC61363BD756A2E04E585BC6F131782CB8D6FB35DAE355E08EDA8BA65B4E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401734Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:12.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BDA622D28535C659B468670E0D05DD,SHA256=2FA3379C43678698B864582AB64C5E3C53282407B2E6766071B5E464A2B83412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456877Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:12.570{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C161FDCFD1212652988648011AC84C2,SHA256=81B6DE402DD38C36C8733090951156FA79B4DA5984FD15AF18D8FF7E497D5F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401736Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:13.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCE13844834BABADCAA606F8200C430,SHA256=53B4264A56ABE48BF8E3BB6264B3E2C07949BCC5DC73D2AB0273A8448C04DE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456878Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:13.584{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DA06E278C074664A1B1018923C30C2,SHA256=58001D5C3E80464006F51628B0521007BEA25075141B680E2AF9ECE674A5E0B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401735Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:11.404{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54140-false10.0.1.12-8000- 23542300x8000000000000000401737Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:14.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C97A37F1ADD95BD0BCCC1CB6FDC503,SHA256=71291B3330B7678F8A0700B7F25F393432E8DDFE30329FF4E3FB0E550B0ACD59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456880Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:12.647{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456879Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:14.601{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCC16DFDB1D329A8B118898B8491C99,SHA256=06DE8CF34354EC3DFAE7E3883F41DD3A99CAED53890E36C07CEC8FF1EA3599C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401738Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:15.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E070B13AF83D29C040A644383BC806,SHA256=31B3B92F31BE11C8782B5D58D923C3D3E6BC56CF21428EDAA01F99308F0AFCD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456881Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:15.619{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC0954DF9C90E4702AC5176D70DF0D9,SHA256=04D5FE68098B7C9F7717848E26B5E025699B0829CC1A90DADE9133D442E90B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456882Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:16.649{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EB2F84383D93CBA7EA38BD3EA49533,SHA256=F03456C60E1E65AF1D2DAA2030B8BE00794771384310104E22FC9D69E5F547FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456883Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:17.664{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299BCCBEBE2BE42A5D18BB9FAAAB0246,SHA256=838937C530B7000F8274A22DB0BB837AC9D0D58A59FBD6F2282BFD0B733D92C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401739Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:17.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE89802F98E7035A9810BC987EFA0DF,SHA256=742A280EDA4EDEEFBFF2D6018096FEB2441D2A49A1C642258729C7442DF6DC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456884Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:18.716{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D86EA5BDA0ABE8E950541CDBFB9EEAB,SHA256=8EFE4A6DFD81D8A6B161C108F0EC3AE910B950ABB897C2724A0938C87E0C402B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401740Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:18.029{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4D2550B0D8844BCAA86299639162D8,SHA256=AC593CC5B66385002A783F83688BA9126017699706C50CFD6F3333AD817A7029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456885Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:19.730{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435DE05F813EBA742A317EF9D7343EB7,SHA256=567191C771F5C9147AAACB456635D2A5D8754F792E13CB01CA9C1F407E516329,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401742Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:17.435{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54141-false10.0.1.12-8000- 23542300x8000000000000000401741Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:19.045{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52098687E5D99D5573D9B7F03FF86D73,SHA256=7AD910D8C2175CB24D95DC5F7CA80DCEC5C08D3D4E16514B8144C7BF45C995D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456887Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:20.745{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6310AE0F9A38E9A6A9331961517EE2B5,SHA256=EB38DABA9AF7D8727618BC0C848FA6E8B84929DBD2BEDC966C48CA308814568C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401743Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:20.061{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4B337A9102E777D89DE2DF22475513,SHA256=AB73F486245B887B0D5BCEE2A569A38F84EA014F2BFA120863A455C1CAD29A34,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456886Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:17.678{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456888Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:21.759{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2230439A70C34804BD440DEA58AC930E,SHA256=742DC74E367A97533682A08B03BE1DAC2E7F31DA916BBEA34DE3F1C92431FAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401744Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:21.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B515C01DAA9984818CD46DD3A16C9D8C,SHA256=DFD853FFB4846457FE6A3EEBC3C979E5F7B03EDAE16F5DD1728E4AAF25295EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456889Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:22.774{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5065DD4441368164912477846905016E,SHA256=3994519A99F79D00AA13A08C4A9554C57AC406BA1E886220CBA78E4BE4C37774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401745Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:22.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0134EF71445AC19276EC346841959AF,SHA256=0C423D2A942BBADCC24976AAB47D50A5747D2834B7E042F5CA1E8728A0F2BD91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456890Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:23.790{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B6DBF7443490F29C9C7427E59E5D44,SHA256=F43031301AE053302B07168F7D6433BD490986760AE585A8F3B413F4F6B87247,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401747Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:22.451{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54142-false10.0.1.12-8000- 23542300x8000000000000000401746Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:23.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E810E5C5454577BAEBABDDDF6A8802C4,SHA256=8D71E2758B49CB238AA4622C0240759538A23A87A51840F95F457B3204EB4659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456891Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:24.825{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20085570CF87F00165150CBFE79A25E7,SHA256=92357E42D038E01DB15097707497C8F9ECBE1FCE8FD926F49FBDA7CD72B9F906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401748Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:24.186{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2516B0AB32F52C6E6299446FCF70E82,SHA256=2045B9742D446C0A9F261EE33C57D96E295B62483F5903BE033CFD150D002655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456893Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:25.839{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56B7CCE074F2A5F7384AA068D5287C4,SHA256=FF00F5E52DBF315623E1358F4A6DF22255A4D1616641F9292DCE33A377B425AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401749Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:25.201{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86794234AFF9BE0FC0C95DBDFDB93F24,SHA256=C01AA25BB1F9080B584751DE9E9D945089FD4B60B9951C4EA3A3D5C48174AF5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456892Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:22.688{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456894Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:26.855{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D5F5ED4A794E587E36AFD575E2B975,SHA256=F29DEBDE8D35377230717AEEF14AECDD40D0F6674709BA53960B68A10FCCF456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401751Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:26.404{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F71ED06A37658AF879B31EB1427C599E,SHA256=10DED855C20ACED55ECCB5B2BBCFFD7E67688BA8FE72F4EEFDD6765C36D08C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401750Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:26.217{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6793ACD43016F86CACBAFF2AF2CE2D90,SHA256=022A901B087589C391DFC29A9D28C56CB4EA2666E281C42572F0790FBBA3BC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456895Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:27.869{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B28DAE58443BEC89FBCA2BDC9DA9D0,SHA256=8626DD9CD53824BD68B5C2AED7D0063BCDB8C573C898365EF8D60CD899D6FFD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401752Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:27.436{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D2841B143338D6AA3D2E7A88BF95B6,SHA256=62F736DE35541187D09DFA9B0688586BACB67974E0E6075E9931EC6BCFA5B48A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456896Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:28.886{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB757F7F68673B7A1BFB389A69AD9D7,SHA256=C50F47A0FFA863FBFB1E7849E6B78C9D34DA29961A2E40D036D22C392CC4A320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401753Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:28.483{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1127719BE70069768EFE3ADD42A8410D,SHA256=891DB0E1E887526D0A2694B6E4D604E0E70E00C0870DB3070C1C916834F3507B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456897Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:29.904{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0ACF38A826526D6817D2BD42160513,SHA256=4B00A8CC731571E3630BADCCACC9FD0B9B29CDC695351E43AEDF73561DE6A88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401754Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:29.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7164F2B2C86B8B90FEDA03BCBA2A256,SHA256=7001FE533E385C5B362A5671DE5DFA72E42EB901542FB7BAC724B5296A5ECD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456900Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:30.934{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456899Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:30.934{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76359A9823ACD395556C3244B1D0EF33,SHA256=EEB2131EBC9E5B46E1A3165A6F09A2D1498CBECBB6FCA2C8EC923D8DB7B57254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401758Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:30.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7212E36ECA7DD1EAE61DAE9BDF3058C,SHA256=F55C4FCD75B777F717A9CDD783AC7FF59389F34C740E5E36725281798CFA11AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456898Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:28.667{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000401757Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:28.451{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54143-false10.0.1.12-8000- 23542300x8000000000000000401756Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:30.279{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C07441E7E832107993AC300846AAA12,SHA256=9CD1B13641ADF5CC63724BFFD5DFC62E547ED56B83B51A00A2E02B47C3DADFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401755Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:30.279{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F97BEBE1BA968C386F40691BF88D5CB5,SHA256=D6C70122DC4851F00ECF9CA35956A0C5353B8BEDAD03099CCE20B362C3966B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456901Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:31.949{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC46A65DE3B11B1FB222B6A13822FD9,SHA256=1AE6E9474936CD747E031DFA328F1B9221BB5505292146A6C0A16157A8F7B826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401761Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:31.561{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401760Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:31.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39536ADF36B61EC39FC3921EB61431F,SHA256=7CE7809823CC12FDC3E2ABB5E8FD532236D9510ABA98B50C1A17B05D846090F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401759Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:29.239{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-57353-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001456903Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:32.963{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB064D94E0F91DF7FD5BFBFB25A4876,SHA256=B0B24B3F2EA607F31160EACFEF249493873A5E16C7196FA98F30D016310B2E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401762Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:32.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3E15506BA4047223312B1DB7A4C76C,SHA256=F792674A4CD8EBFE25B35F88EF60DFD7AEDFF29E80FB1B2594CCC712B7E07C4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456902Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:30.381{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000401764Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:33.592{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE35A2E15726C3798FE1C4764F9B50D1,SHA256=FEEEF19E53C35DE6596D009DA3734F43E6BF45E1BC1C9C93570D6AFD3B001BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456914Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:33.983{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2722A05CA25FECB64F22CDB429CB0319,SHA256=A4D7B9976BEFCC4CD75AFFDC568A22D95E979330FF3ACFA9A05EBF42B2C3A798,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001456913Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:48:33.400{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001456912Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:48:33.400{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x015ec712) 13241300x80000000000000001456911Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:48:33.400{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719c-0x0fda73d9) 13241300x80000000000000001456910Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:48:33.400{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a4-0x719edbd9) 13241300x80000000000000001456909Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:48:33.400{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ac-0xd36343d9) 13241300x80000000000000001456908Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:48:33.400{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001456907Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:48:33.400{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x015ec712) 13241300x80000000000000001456906Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:48:33.400{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719c-0x0fda73d9) 13241300x80000000000000001456905Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:48:33.400{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a4-0x719edbd9) 13241300x80000000000000001456904Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:48:33.400{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ac-0xd36343d9) 354300x8000000000000000401763Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:31.764{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54144-false10.0.1.12-8089- 10341000x8000000000000000401779Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.858{7F1C7D0B-0DB2-60E3-100B-00000000D401}25082476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000401778Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.608{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA88DD2899CA403D503CCB661F87585E,SHA256=4B8815C97A18B5BB4C4FF0A7A18CFCAEE4DCDE60298BFEB46C3D4D8AB8C91557,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401777Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.561{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DB2-60E3-100B-00000000D401}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401776Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401775Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401774Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401773Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401772Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401771Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401770Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401769Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.561{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0DB2-60E3-100B-00000000D401}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401768Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401767Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401766Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.561{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DB2-60E3-100B-00000000D401}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401765Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:34.561{7F1C7D0B-0DB2-60E3-100B-00000000D401}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456915Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:34.115{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DE9FDC6C6E595802251B6A537B170FEE,SHA256=B51AF8055485C7413A6E7912320482CA9B25240FC701ADBC8A72E370AB478727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401809Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.795{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789866B8022A0E570F33E03CC5B5CF6E,SHA256=477E3667E1BEB0112C6D49239D180DA782054127DAEB9AD210F90004B6624350,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401808Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:33.466{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54145-false10.0.1.12-8000- 23542300x80000000000000001456916Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:34.998{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0EA720FCB2D606A947DB75548A7A2A,SHA256=21FAD280B324F820C8E19425103984B85170A57F377691F3C74379068E326A95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401807Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.748{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DB3-60E3-120B-00000000D401}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401806Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.748{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401805Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.748{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401804Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.748{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401803Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.748{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401802Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.748{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401801Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.748{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401800Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.748{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401799Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.748{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401798Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.748{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401797Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.748{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0DB3-60E3-120B-00000000D401}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401796Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.748{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DB3-60E3-120B-00000000D401}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401795Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.749{7F1C7D0B-0DB3-60E3-120B-00000000D401}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401794Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FB9BCD9B4676D25D6CC735EA7C0E789,SHA256=E6010E528E3E33A39742750A49F101E8FA3EFC9B432FB503A2074444360405E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401793Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C07441E7E832107993AC300846AAA12,SHA256=9CD1B13641ADF5CC63724BFFD5DFC62E547ED56B83B51A00A2E02B47C3DADFC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401792Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.061{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DB3-60E3-110B-00000000D401}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401791Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401790Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401789Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401788Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401787Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401786Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401785Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401784Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401783Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401782Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.061{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0DB3-60E3-110B-00000000D401}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401781Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.061{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DB3-60E3-110B-00000000D401}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401780Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:35.062{7F1C7D0B-0DB3-60E3-110B-00000000D401}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401811Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:36.951{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FB9BCD9B4676D25D6CC735EA7C0E789,SHA256=E6010E528E3E33A39742750A49F101E8FA3EFC9B432FB503A2074444360405E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401810Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:36.795{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5FD7C07BFB7A39A268E3B0DA6EE7B6,SHA256=B2DED5C61316C0856BE45FCA9212EF778D947622C61368EDCF17601716FE3151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456917Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:36.028{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0093E1BF06B63D69D39B955FA90761,SHA256=88B1706E9FAA49A7E69237839D186F8E1893518EC99077CDA69896C831390F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401812Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:37.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32185F0FF6842483D6C37D1BA9A71B95,SHA256=D3D603607E22DC93BF17B6D060596D105B799566538D4BCE9B30F57011C2A8B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456919Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:34.644{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456918Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:37.043{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEBD0C5A73BC47E78AF25FE7BB0FBD1,SHA256=52EE20C90E6B86FB509658B921BAA76502E6CF0723F17D32D490B0DCFE49EF66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401813Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:38.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8142A3244B005EDAD8A9225173D75B,SHA256=8CE2BD85F76394054ED5E1B48247A383282E47F8E20E76E4082DF9F8BAB2E493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456920Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:38.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7D9A03F77F20BB078E593D3085CCBE,SHA256=9F34D8EC1F219E9B8695A514F1441409FC26360C18F40B0F3F7D7C20449C0E8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401842Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.873{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DB7-60E3-140B-00000000D401}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401841Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401840Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401839Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401838Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401837Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401836Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401835Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401834Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401833Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.873{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401832Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.873{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0DB7-60E3-140B-00000000D401}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401831Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.873{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DB7-60E3-140B-00000000D401}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401830Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.874{7F1C7D0B-0DB7-60E3-140B-00000000D401}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000401829Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:38.467{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54146-false10.0.1.12-8000- 23542300x8000000000000000401828Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DA07EE2E9BE297EAB5B98323F5E77F,SHA256=D05F0666778D0425AA268715A95747AA1815406496B5CDE3713140E83231B086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456921Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:39.094{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF2A8C552E597F75CF034D8798D2CE7,SHA256=D294B53028FBA72FAB04B0983F0F85C043C1B5F9D0476A5BB1CD90DE7D19481E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401827Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.373{7F1C7D0B-0DB7-60E3-130B-00000000D401}3544532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401826Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.201{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DB7-60E3-130B-00000000D401}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401825Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401824Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401823Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401822Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401821Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401820Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401819Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401818Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401817Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.201{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401816Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.201{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0DB7-60E3-130B-00000000D401}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401815Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.201{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DB7-60E3-130B-00000000D401}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401814Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:39.202{7F1C7D0B-0DB7-60E3-130B-00000000D401}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000401870Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.904{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DB8-60E3-160B-00000000D401}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401869Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401868Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401867Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401866Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401865Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401864Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401863Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401862Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401861Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401860Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.904{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0DB8-60E3-160B-00000000D401}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401859Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.904{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DB8-60E3-160B-00000000D401}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401858Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.905{7F1C7D0B-0DB8-60E3-160B-00000000D401}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000401857Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.404{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DB8-60E3-150B-00000000D401}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401856Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.404{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401855Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.404{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401854Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.404{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401853Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.404{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401852Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.404{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401851Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.404{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401850Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.404{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401849Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.404{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401848Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.404{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401847Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.404{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0DB8-60E3-150B-00000000D401}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401846Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.404{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DB8-60E3-150B-00000000D401}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401845Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.405{7F1C7D0B-0DB8-60E3-150B-00000000D401}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401844Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.201{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0642665D89206B8C2698B6536C160B01,SHA256=4482F7102B4106A197351348A2FA655FD62BA7E55E67FC9078442816F383502C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401843Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:40.123{7F1C7D0B-0DB7-60E3-140B-00000000D401}40362324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001456922Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:40.109{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3A15F8B3389447B411024B618929E9,SHA256=C8BD6DC972429BA08409E0CFDD9634FFB28BC31B16D628BD2EA9ADC7B1BFC215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401874Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:41.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97CC57BE1A8E19A2ABBBC7E03F025DA,SHA256=86DBF2BFD5816BC958FEB0FD62A743E529F65686349844C78A23E92EED27B580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456923Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:41.124{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA38389830A2D84651B201B0C740EE7F,SHA256=E393CE175FC6D258D66C64912980642ECADD4792F20DAFBAC19BDAFCB111E5A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401873Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:41.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C849FACA60382CE1B19B4D0E8ED2FC3D,SHA256=95968DD0DEA426B8D586536CDE838907AD8282CFF88F14613BBCBBB0F3DCDE3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401872Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:41.404{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15183D0BD21E1C896F3700A8A5361A8C,SHA256=A6A9C1BCA3A17C7F5D76B708F718650BE0EE202AD6C896BAE4D36355C4142FB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401871Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:41.123{7F1C7D0B-0DB8-60E3-160B-00000000D401}32121072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001456925Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:40.639{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456924Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:42.139{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30B049D273A0F123EC8BBF713ED5A14,SHA256=7DFEA318CAEDDBA10D69C91187BDD6F270FA9B81A44901CEBBD89BC85C552F85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456927Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:41.223{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.130-27094-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001456926Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:43.153{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D90A6EA972F644D8CCA33196C06F063,SHA256=E3D16F0714D5C2A8B6F2B8CFBD921C4A993774C1C20919A08A8C595F5BD374E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401875Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:43.061{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8D3D83238FB4D23E9039DE38C89A1A,SHA256=751EC7B9791DC6297DEA36EAEFB784A14D9BD7C507B15CFE5145D0632B80FD86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401876Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:44.061{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17C2FD39F9F4852F1C442BE3A34E05A,SHA256=76A8844CAB9664735464D8D1BFAFB9459C799F14CC2DE3001A5F0943E8C0CBF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456930Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:44.336{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52419F402520FDA9E9701C00E3410A9D,SHA256=CBF61D2EB573C1825240666E6DB4D3447D3B61CEBF058DE8BA56C27699296E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456929Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:44.336{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2E4834153B0846BAC3C605397185817,SHA256=20ADF77F71EF5E2714B5B5EB52A6EB256CE4FC552ADDE8A0BF1CFA2EE21D85DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456928Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:44.173{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D45F3048A45139078CFA7ADC5735BFF,SHA256=989132BA58F2D2DE6BD94298B80C01C0C3FE3DA325DEB78F1EA0214CDFB42D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456931Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:45.188{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510B763D784AA80CFEA3B8FF8BFE7BFC,SHA256=D579295D552A9EB29E3190FC5216062859EE18C8B031A89DD5A33DE1537AC336,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401878Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:43.467{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54147-false10.0.1.12-8000- 23542300x8000000000000000401877Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:45.061{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06CFD73B38DBB3482E4D04428497018A,SHA256=11DAA47CD7A0929A1BA5F611CA3E97640CC1796B5ABF48983FEFEACA1929F237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456932Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:46.203{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11982CF09259DB980BEBA75A94E56048,SHA256=168633847AB949D39A43C13B1405CBA03DA7AC5B3F525B58C3A2539A27F541D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401879Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:46.061{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CE6C595CF4F7BE20E1DD308DE01EF0,SHA256=B9B6FDA5F3042DB23B6D9F3D7B7BCAFB7FB6584A205A9B1DCE957292C2D1CE0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456933Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:47.217{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85A5C67D3E84E2F156F2A6A49FDA0AF,SHA256=D5E72B3907733EFB5BDF25932C15A05BDE1E5AC58147C9C3C627425AF401A646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401880Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:47.076{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B686AC2BDE7200C0621C0670FE4C5901,SHA256=CB9B1595421A008BD083D626FD98A22C3D8B96B38210D8E8CB1404D6C86B3FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401881Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:48.078{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12117A98DA732EE34BF543541B1D09C6,SHA256=2380041879080559C2C023F268294FE0E25F0B415E56DC8D96CA27A492B683FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456935Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:46.648{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456934Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:48.232{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA388CCC4313A23034619781A63086A,SHA256=AE0C68A3455C778C2438B678CB7C49973B65E95422C66C22181EF9588874F6DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456936Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:49.247{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1FE6482EF880BA3D12A50CEF624E26,SHA256=68284616B0969233E2AC8A5F7F7A22AC2960A648AC359E5CE0B58568238BB342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401882Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:49.091{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21006CFC158BD1FDC5A600E2231141B9,SHA256=072269D4AE8773563F0BCD50F3132A90BFE025958B38E698767B41C7E63F8943,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456938Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:48.374{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.130-5856-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001456937Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:50.248{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E537077B9B2FFEEA1D64ED1DC96B444,SHA256=F1E92B617E81341DFE7A410D7145F807FAAF5F3EEE15DAFAD8000849D97ACD83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401884Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:49.278{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54148-false10.0.1.12-8000- 23542300x8000000000000000401883Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:50.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B510DAA435C3A0E043661B431DC55C,SHA256=0AF542B361BE00104909B8F22781A086AE59D8457F620DAA2739A4E32F258D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456941Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:51.631{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A58C2A179E436C24997CCE3C6216523,SHA256=B2263748383DE2AECD6ED85EAAC83557B4FF4E583431C0399D8E4890AC67BC7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456940Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:51.631{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52419F402520FDA9E9701C00E3410A9D,SHA256=CBF61D2EB573C1825240666E6DB4D3447D3B61CEBF058DE8BA56C27699296E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456939Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:51.267{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239D8DD58C7DD5892D76FC2860BBB8BA,SHA256=CACFC4B24B95AE730AC6456FF5068AFE02F6C07F2FDB51D71C11FAEA17FAAF2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401885Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:51.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2DAE7846E4D187354481DFD76AA928,SHA256=90C9AFC75A2A6E7328A5591C9B0E110412A085A964014746C82722D204D975E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456942Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:52.283{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FEA17DCF964959284C156D93B83414C,SHA256=4CB6940F7060B9BEB42A39E8D523A8F9AA4A5C4887E39894ED52986CE4A45DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401886Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:52.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E32CA3299041B76168A6617CDB37A0,SHA256=C355232386C6631618BDD2469800E6544AA0DCE57A36BA15E14E2E066E730E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456943Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:53.298{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDD88A16FF2B7AEA37BCFC1946D921B,SHA256=235497B5CD20598DF3C8F2CF1D7A64115332EF0E16223E6696F357BAF206D8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401887Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:53.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29452F50AC507F7C5DAE70809E43AA8B,SHA256=18CD43111FEBF0CBC2A23B664D528388E4926BE88ECD52A080ABAEF5ABBDA495,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456945Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:52.660{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456944Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:54.312{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C244220BED03B353E0E9459B49B426,SHA256=721B6BA90F6D91F09C2D9DDABF7B9823B2ED59E23DFED685245D50FFAAFDB0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401888Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:54.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C414E1F0BA77006222D3EBA194378A,SHA256=8E9E05A5F7C98548BBEAFD596D6CDE56DCB3B6FC371D441F85BD5B7F065F08E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456946Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:55.342{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CB241D0BFB9D5B95CED926D17EE4DC,SHA256=F31EAE2B286EE7FFE16333C0EEBED3929FB3B7DEBDEF7F064C9DC783C87066A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401889Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:55.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F47B00A3FFC7F92675256247778FF129,SHA256=87FB6CAF847C4E4E874FE93B713901FB00F0E101EFD82535B117FFC664780676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456947Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:56.359{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB87C6D118D749FDDC62538E6E753568,SHA256=65DFCBE61D24E73C4DA3A0F01707F6F0199E1C687E50EA0BEF538CC4E85806EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401891Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:55.265{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54149-false10.0.1.12-8000- 23542300x8000000000000000401890Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:56.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF6FF7DB92A4C43994632FB271D5278,SHA256=49A37DB0D3C69C061831035BBC719311F03A5841B7D1C95EA82B2D520605B896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456948Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:57.377{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74F69F8463295F7D9629290F4DDC23B,SHA256=1CEE2F83F0BF613915B1562EC61039EA0A142E74B73965DC2AADC07C1E43833C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401892Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:57.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC7FFEC18A61D4EF7ACF652BB36EEE1,SHA256=DAC1471751CC72CC05CBB20DB132E28C233C3167BAE8D26B3A7CBBC178AC6861,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456957Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:58.858{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0DCA-60E3-A80B-00000000D301}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456956Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:58.856{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456955Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:58.856{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456954Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:58.856{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456953Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:58.856{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456952Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:58.856{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0DCA-60E3-A80B-00000000D301}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456951Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:58.855{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0DCA-60E3-A80B-00000000D301}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456950Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:58.854{D694AEB8-0DCA-60E3-A80B-00000000D301}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456949Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:58.407{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DCD245C819A193648DF0FADB315C05,SHA256=59157BBCCFD5D671C340BB72B6E7FEF544F51F4E26F53F417EFCFC51297CBC48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401893Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:58.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C8C2108BF7B68F7D0BE29A69B5195B,SHA256=21D1DC71D3FA6980846C17B5067C83CE22F9B415F03A85E85DDA5756E15B9F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456969Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:59.874{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72612EF5D7DD47DB036531C7A396E6A0,SHA256=E62156E4690048B7651C4D37559240D5473297BAB8DD50D21059F8DDB3AFA2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456968Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:59.874{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A58C2A179E436C24997CCE3C6216523,SHA256=B2263748383DE2AECD6ED85EAAC83557B4FF4E583431C0399D8E4890AC67BC7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456967Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:59.674{D694AEB8-0DCB-60E3-A90B-00000000D301}2352616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456966Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:59.506{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0DCB-60E3-A90B-00000000D301}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456965Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:59.506{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456964Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:59.506{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456963Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:59.506{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456962Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:59.506{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456961Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:59.506{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0DCB-60E3-A90B-00000000D301}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456960Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:59.506{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0DCB-60E3-A90B-00000000D301}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456959Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:59.507{D694AEB8-0DCB-60E3-A90B-00000000D301}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456958Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:59.458{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4AB02C92C44BAC1465DF1C4C3EF71A5,SHA256=9463899597434537C4E70FF4DDBA8F9F2E4FC7B1EFCF3B373DA118352352C34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401894Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:48:59.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9004879A26D140D11898AF6F947573B,SHA256=4C7BD25A14E8E2D09028CE557D7D2A0DAAA76A1C4DCF6D0549D67D8DAB87CCB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001456978Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:00.474{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BDD608AF075B72BDE7F84ABC0AAA061,SHA256=DAC405A92341081D5B5846E682EF7E5A6B3C99830D736D18E69C54B2A1681B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401895Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:00.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B7E877E3A18EEC78385160403ACFC0,SHA256=A18817BF25122E9ED9A89BE8DE867459C6F4F3FB4D85C14F985E2889A809D018,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456977Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:00.174{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0DCC-60E3-AA0B-00000000D301}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456976Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:00.174{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456975Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:00.174{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456974Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:00.174{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456973Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:00.174{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456972Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:00.174{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0DCC-60E3-AA0B-00000000D301}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456971Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:00.174{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0DCC-60E3-AA0B-00000000D301}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456970Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:00.175{D694AEB8-0DCC-60E3-AA0B-00000000D301}6580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001456981Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:01.489{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9515416D6E21D5B11F1DE7CDB96E39,SHA256=54815C222DB61C812641B7F93F14E8350E0FB3F3964004BBCAB68EAB91EBA84F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401896Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:01.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DAE8CEF589EECD62E54F9271D0B3DD,SHA256=A1507CF69D6C635A0BAA51AB84E1D593F906790846A797A72904AC4F1D9D8C98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001456980Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:48:58.684{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001456979Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:01.189{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72612EF5D7DD47DB036531C7A396E6A0,SHA256=E62156E4690048B7651C4D37559240D5473297BAB8DD50D21059F8DDB3AFA2A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456991Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:02.634{D694AEB8-0DCE-60E3-AB0B-00000000D301}64885932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001456990Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:02.534{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1F3655F80F1246F5BF8E00155EDDEA,SHA256=E0974BDBBD7C71C3E4EFA819D81C915D9EE893EEA5437D947FC1A62F48E734DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401897Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:02.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219E10CC821375D08E4E8269751DB91D,SHA256=647080009A4543459257DCCA221383FC636DEFF1091A892ECF37B26C6A4447CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001456989Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:02.487{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0DCE-60E3-AB0B-00000000D301}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456988Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:02.487{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456987Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:02.487{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456986Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:02.487{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456985Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:02.487{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456984Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:02.487{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0DCE-60E3-AB0B-00000000D301}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456983Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:02.487{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0DCE-60E3-AB0B-00000000D301}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456982Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:02.488{D694AEB8-0DCE-60E3-AB0B-00000000D301}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001457011Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.754{D694AEB8-0DCF-60E3-AD0B-00000000D301}56286308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457010Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.586{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0DCF-60E3-AD0B-00000000D301}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457009Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.586{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457008Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.586{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457007Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.586{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457006Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.586{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457005Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.586{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0DCF-60E3-AD0B-00000000D301}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457004Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.586{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0DCF-60E3-AD0B-00000000D301}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457003Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.587{D694AEB8-0DCF-60E3-AD0B-00000000D301}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457002Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.555{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C811ECED3407AC17DCF8FA792FA3C479,SHA256=721654D6DF66BE8EFACECC10DBEC50373B00BD9FF0C604B4FE75522831F956FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401899Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:03.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9616FE1222E156E126A1F57A2C7656,SHA256=B9CDDAA50C53C28CA8C2229B0FF9A5595CFF5058870D8DEDB78A0DB84683BCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457001Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.302{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E7358F945988F802CD14D609C9FF1CC,SHA256=899BAB3B896287EA21827489767B73B99817CCC675218029676B494493B914DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457000Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.133{D694AEB8-0DCF-60E3-AC0B-00000000D301}23366756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456999Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.002{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0DCF-60E3-AC0B-00000000D301}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456998Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.002{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456997Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.002{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456996Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.002{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456995Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.002{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456994Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.002{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0DCF-60E3-AC0B-00000000D301}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001456993Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.002{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0DCF-60E3-AC0B-00000000D301}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001456992Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.003{D694AEB8-0DCF-60E3-AC0B-00000000D301}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000401898Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:01.280{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54150-false10.0.1.12-8000- 23542300x80000000000000001457022Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:04.602{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94D3375432CA5F9D9DC40C204B631ACC,SHA256=9CB349089ABD5FC09A4300060910BFC13077FE9FDDB0EEC24A97DB75997B4CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457021Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:04.571{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E489019AE06D3FB1F8628961732181A6,SHA256=699D26E67DEFADB450957CEE92E5CA22492B49902B9102C6313C90EA45754F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401900Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:04.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B558D7F5DDE6E7151F2D93A5BDDEF3,SHA256=5019845F444F6E0B89A59E4FB622E98F73F0EDC2DF4862251E5DD1B29D7A77F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457020Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:01.330{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-8319-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 10341000x80000000000000001457019Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:04.253{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0DD0-60E3-AE0B-00000000D301}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457018Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:04.252{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457017Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:04.252{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457016Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:04.251{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457015Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:04.251{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457014Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:04.251{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0DD0-60E3-AE0B-00000000D301}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457013Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:04.251{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0DD0-60E3-AE0B-00000000D301}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457012Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:04.249{D694AEB8-0DD0-60E3-AE0B-00000000D301}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457023Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:05.586{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F3625962582537049D79EEF0A0E8E4,SHA256=56F3B89253D84A575E63835CBB626D79E6B5EC09B8FF95815961DC9D9D0570B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401901Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:05.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A639FCD83968D6D0B3E64980C759B3,SHA256=FB5D615EA2002A2A1E0B1ABA4F21036ED33A264CEA78D4F8381E3D141D85F20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457027Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:06.600{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593D79F39B0558417E44AB835A718A02,SHA256=0F8493FCE76479537DC124930E2E96EF1D91768FDC0E84C0F4D66DDD96B4F4B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401902Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:06.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD67FF4DEBFA9958D57ED083DE3F25D,SHA256=444B3DDAE2A25096695D978DA69CA09E83D0B8A6407269448D04AC3877D7A33B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457026Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.695{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001457025Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.517{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61192-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001457024Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:03.517{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61192-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001457028Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:07.614{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792AEA082C29222B888887F05FA16C3E,SHA256=F864BBD4A33278581F7C934C82B076DEC21777B97EE08EFF69650CF116C69BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401903Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:07.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B9296726A42BC956A96831193D80E4,SHA256=D18BF543D720778C56F7D56FA718BCAA448780640D838577AB523F74F7D04D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457029Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:08.648{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F378BCBA37FC2A07B6666A067BFD8A7D,SHA256=66F8495B71382C5A4CCEA5C2B12034830129DB75695FBDFD90176F0B325C327D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401905Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:07.264{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54151-false10.0.1.12-8000- 23542300x8000000000000000401904Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:08.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351C83618E16A05A7D91BD791B1816AE,SHA256=63D9F7EA281783C24B2CA1A2DAE8B4B21121EF76854D2D4CAE7B863D8F783AFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457030Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:09.649{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000A53AE8C0ACADF9FEC9F639F7BA46B,SHA256=19002EAB68D668A8CC83B13144C75A5A718976E68C200E933C3766CEBED32CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401906Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:09.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407DB27CBE0F79B562F649A57245CD2D,SHA256=1BD1C3AC665CC0C527A91F5D7079C530F12FD4D15CBBE744F3A175DD11BFBAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457031Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:10.664{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C36698E7A1E38711649A8E668EDE37C,SHA256=8019BE85F7B6846B72A465CCBEC65DA01CDB30DAD8B8BC07E203DFC2F1FDBB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401907Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:10.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDB79AC608D18B0FF73516B27429844,SHA256=BE826AE12AE95A18034F9F61565A096725AEEC71B4C383D3A66BDF90FC78210E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457033Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:11.695{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04DDDEDA4064FC8562FDD9861C3A1A93,SHA256=4C2412E7EDD95191B5C085EDD8A7841DCAB93CA3DA94B8C6E57448ABBA52CD04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401908Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:11.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7176BB081B9DE7FBC36C49FEB1950D,SHA256=6DE8A6C505F0C86647D471E5B415F28909C2354EEA2D205918867760593155E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457032Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:09.689{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457034Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:12.710{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949790BDB393083736C22678EAC9FEEF,SHA256=00DFAD03903B6D999C1FE22C24A8E2FC470EDBFE1E85D06BDB6D9C066F7A9F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401909Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:12.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9CC3B2C86D1A945355E0D16A994308A,SHA256=DEAF24694ADDE940971D39C8BE83556A1EC7557DD7ABFEC5CBAC56D1A39BF081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457035Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:13.724{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7F4B76095881C0C7DB68CF72CF97AA,SHA256=A0C28C5D5A70CC84BA4B3230C88629F803FA9D2F7C60FD98ADACF9452FBC278C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401910Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:13.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A4D17790CF00E701AC833BDCAF7702,SHA256=5F85F36472F0559C4D0690E330B8DD186FCFCB65A4C422554B49E8CBBA79E717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457036Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:14.741{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EEAF45D028B275EECE952786EB90DFD,SHA256=B79517FEDF2F2DFEF9734F94F6B6D2F922291D518597EF732F66457AE10CA76B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401912Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:12.467{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54152-false10.0.1.12-8000- 23542300x8000000000000000401911Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:14.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1458DE441754E41563838377AEB39FA9,SHA256=9A5DD63C79EEBE6172711E3534A0364298F3ADBE0B4D92EFE123666AF2864F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457037Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:15.775{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCACE93FFD82146CB96EF2687F23B13,SHA256=54DBAA96BB3AC8A57778763D83AC008A8115F5A1B7D681A16DF29EE514C2FB4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401913Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:15.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63122134ED6DA19B205845AD0C99D47E,SHA256=2EB6980E0BFC79941344708BCDC997BFA71473231CE38B4615DA03843E9E9F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457038Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:16.789{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08292B9F0B56E73832F45163EC3010B1,SHA256=543786C0D6D58EEBFC4998D1199280AD02EFAE3F77A37F4C84653A41AE1F63DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401914Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:16.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C58BEC89F2DC1D892A1ECCA4DE12371,SHA256=590076A04640F6793E132EB22BBA5369D371D14B7114D24CB119D5982AFE3618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457040Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:17.819{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DD9B58F5996582E4D3A48EAD0F37ED,SHA256=8A9AB68262C23914AF6A5EAC7BB5BBB8F6B565F1E41F59073CC33B8D6DF6F655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401915Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:17.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C7EC56F4B534319CBE92ECF6947265,SHA256=C82B27ED3BB7D32F187684AF63AD7102DB21082B528C18DD62D037E0FB2057AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457039Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:15.683{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457041Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:18.836{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FA89478E1D8B182FC9D28361AED9B8,SHA256=980DBB16403B4143518DA9D108EA7014D9B9315C7ADB8BFB613F2663F1A05060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401916Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:18.140{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D4C56E98F6FB2DF1201F34AD25C039,SHA256=A46E812FFAE91571B452F19455C2C8F08AE6CC6F2696FFFF2A05F75DCD753C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457042Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:19.870{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737C3F21BC63227803B89E4AEC14869C,SHA256=ADCB9AEA9C501ABC04C4AB536BA9A7C5B09DE343BF969E94560D6C428306F43B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401918Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:18.436{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54153-false10.0.1.12-8000- 23542300x8000000000000000401917Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:19.155{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7B265D788F19B9333085904740EFA5,SHA256=F6E1487C2C8C94F4A6C39A17ACD5AD573E84CCCEE5138C13C7668DA06BB74F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457043Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:20.871{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8495EF99C8F6F7A314F519C91245807,SHA256=8FD647ADAF559723D14AFDBFEBD747ECDE86C001DEEC0F1C56443EDD1047C650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401919Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:20.155{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9A8EF5F9B54E27A9292D5D9174F851,SHA256=55ED3513393D0676964D00299B954370C69F87A4F2A4F0265C50EDCC6597EE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457044Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:21.901{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E34A48ACF75EEBD2FF04EA5A5158DF,SHA256=13722777CD482AAC2F2A6FAB354719A66100752FD5DE5CDDB964E291BBEE31DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401920Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:21.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D61791EB6BAE7502E292F8C939C00E9,SHA256=83F9F52D42281AA14571AF38FADB7469394605475F1270A0AB6A3485EE9064B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457045Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:22.916{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D096DAF2E8AEA338CCFAA850928001BA,SHA256=005635513562BF0990D48FEBAC56701708BE7B05FF63C17E683892817AF8BBD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401921Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:22.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3607DBDCC531544FEED78A0347FF70,SHA256=A3852389E2770F405E515C4DF959133D711FFC34F8D6FB3DA809B2BC57F48DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457076Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.952{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC429B744E1B8357010B9A9E58C74F7D,SHA256=1BB050294536EECFB58E4273F50A99FCFDDA0C3A7F2B0993D3572FDA1E81AACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401922Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:23.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9AF5ADBDF31ED8308EB85DB3035227,SHA256=36B4B1C0C9657BFCD6048FA23FDFBABC49145A162C7156153FD7B7D545277962,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457075Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:21.663{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61196-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001457074Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457073Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457072Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457071Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457070Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457069Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457068Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457067Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457066Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457065Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457064Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457063Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457062Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457061Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457060Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457059Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457058Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457057Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457056Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457055Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457054Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457053Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457052Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457051Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457050Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457049Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457048Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457047Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457046Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:23.768{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457077Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:24.967{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89AEB22A9FCBE87790AA617C47D1494,SHA256=ED58FEE2979DDA97BCBE3FBBCC3479163DBFD80B4D29452BA45A9019FF5BDBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401923Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:24.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A58D5288BE6F001E003715839BB9E8,SHA256=365732A659EA2DC97CD860C7D12EE5E031D874B3CA8B3C44EF926E0FE08177E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457078Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:25.982{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746522D4593E90429B3AB97876736A82,SHA256=7F177993D8F7A90A774F44EE257AE0F5ABF25E00EAF79B4F8FE5EB1BFEFA1248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401924Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:25.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E71428FCECB63CD83F3B86A915FE60,SHA256=059DB3527603EDC7C63E46FB3BA263B743F4B0F0B09ACB5A82B9728E3F28E29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457079Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:26.997{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E404CACDD03F95BD97FD50E263157F5,SHA256=1032AEFECD681B99F4930F80855BBD9E7860E06E2D62657DD1D1801AA5FBA567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401927Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:26.405{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2D26ACCABA9FBD0FED68CAA9B0BE7101,SHA256=DDCB90B6F1DAF8510EB7AF12B13926CA7A7A26280330D307965D2D5B0165609D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401926Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:24.452{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54154-false10.0.1.12-8000- 23542300x8000000000000000401925Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:26.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D1BB84080C0B70A081E079EF3A16190,SHA256=226C1FDCB4337909AF65C58EE75D28B190562AF97481C9688CCB4702FF74E0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401928Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:27.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5126CCB5AC061DFA3273241DA9F29658,SHA256=9819542E46267A128C9E69170D0AE4F50EF6E24164104066D9A2E77072677FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401929Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:28.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851F41D837C9448DEBB1C8A761CEFEF2,SHA256=3560EA52A77B93F87E29C0076B34D65CD8B0FC7480F3AB1A5D50C8179DB8A012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457080Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:28.029{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034BADF144E707535A19E4AD77775424,SHA256=DEDBCAC096E69A573BAC96A76E1E14889BC1D72FA8AA8F074F3F9DF4059C7E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401932Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:29.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=546BDC1195B4B5F5CA92385529462ECD,SHA256=2C861A01C69DD7E9C5DF9C089096CFD9BF5147471C62D08F5E5EE725A0973F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401931Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:29.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC00EC24EF6153FCC7F2C9D138124BC4,SHA256=4517DEADDFE68C66A9AB49A3F3E885D6B7CFA5F47BC35078226FB8081977CD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401930Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:29.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6316178B345FCC79A9D633879C57CCC3,SHA256=F033AD7137F85EC372299151AAB105BF2D1F877D21A536629477214D7B2A7017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457081Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:29.048{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D29FC7399A42C7A10C03A494576C6F3,SHA256=708E42C4926D728038A7A69E4FECE831D4A59A9962D9823657E8A186E0FD3C2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401934Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:28.908{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-57619-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000401933Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:30.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA1BFA71965989A019AE63F3E20000F,SHA256=A7AF30DF3AB5E430313D1D3D464C02FE967E856D93C910FC2FEF9A90392A8254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457084Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:30.962{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457083Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:30.062{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B222CDE303DA0ED05148CBCA3A6B73D8,SHA256=9EC64F3BE4B5F1F2094F18E582E36F38B68CE70AB82FBF0A2DED5C0D26337639,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457082Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:27.695{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000401936Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:31.576{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401935Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:31.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5175708F0F4540A3E5EED4BB49E9BE6D,SHA256=5FCE8EF6157E2F51C7803A88268D7A360980316AA0BABB7FBDB4ECD23BA2D243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457085Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:31.062{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455D6E6F0DD8B7CD4C9A9C498A1DCAA4,SHA256=A602DA18D331D1D3A92901AFF6D9813E27FC32471A1A1FDCE2CF99F142B6F322,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401938Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:30.483{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54155-false10.0.1.12-8000- 23542300x8000000000000000401937Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:32.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D24F5C393B060D92F7456C186583B34,SHA256=E726E3BF93BF26E46A36DD557DCA77A350D2C4B4F6D1C5E70C7435EC50BBDED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457086Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:32.078{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB1DED1511CD738321481D1DD732FA6,SHA256=F5A86F1F38EC1B81D6311B34EAA5056A2E6CE4AA86D5A78C5795B1B558959542,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457088Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:30.393{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001457087Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:33.092{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA87E4847AE4B0171FEF0E936C920A6,SHA256=B0D4EA6333F12F21E19EA8C426D7016D52932A0B2F9A0513C56937CF9312AF84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401940Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:31.780{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54156-false10.0.1.12-8089- 23542300x8000000000000000401939Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:33.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397775462EA605B7B3016F133B04C0F0,SHA256=006D331132A91E6C214FF8A0EF8FECCCE1D608A9650BC3ADD698AD50157CEB43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401954Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.561{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DEE-60E3-170B-00000000D401}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401953Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401952Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401951Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401950Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401949Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401948Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401947Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401946Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401945Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.561{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401944Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.561{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0DEE-60E3-170B-00000000D401}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401943Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.561{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DEE-60E3-170B-00000000D401}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401942Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.562{7F1C7D0B-0DEE-60E3-170B-00000000D401}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401941Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:34.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47FD9925AB4319183ED55A06E93C7D46,SHA256=ED3FA176C89EFE3B31713A7365F807D5DCA6C9CF18B3E0DD87DED8C8E47DD700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457090Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:34.123{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9B161A084586270D1C33AD7AEC0ACABE,SHA256=D714D7C864A9C7983A6CBE147670C6BAFE3B3DE2D5EB31E6E98B81B13DE1C679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457089Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:34.106{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13811F60EB1EB40E6F5A0D7F18F93B54,SHA256=911B1D5D43CAEF871CDBB671DD1943A2C86687BC3C4BD5AA268CE6E14C4C5DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457091Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:35.123{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B88CF168CC6682A888D410E0159651,SHA256=C9ADE856B2F02EDACB1D2358923501B9BD6E998EEBDEB6545F669B43882B07E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401984Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.936{7F1C7D0B-0DEF-60E3-190B-00000000D401}20202484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401983Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DEF-60E3-190B-00000000D401}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000401982Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACED530E339847CCDD46578324E53C91,SHA256=A6569B98F5E64510F7F1BD14F51935AFED55A660AA31631E95ED1D751FD31A78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401981Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401980Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401979Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401978Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401977Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401976Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401975Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401974Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401973Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401972Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0DEF-60E3-190B-00000000D401}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000401971Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=546BDC1195B4B5F5CA92385529462ECD,SHA256=2C861A01C69DD7E9C5DF9C089096CFD9BF5147471C62D08F5E5EE725A0973F33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000401970Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.733{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DEF-60E3-190B-00000000D401}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401969Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.734{7F1C7D0B-0DEF-60E3-190B-00000000D401}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000401968Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.233{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DEF-60E3-180B-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401967Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401966Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401965Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401964Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401963Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401962Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401961Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401960Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401959Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401958Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.233{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0DEF-60E3-180B-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401957Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.233{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DEF-60E3-180B-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401956Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.233{7F1C7D0B-0DEF-60E3-180B-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000401955Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:35.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9AADE77B043BC8CCB9E86B32AF1989,SHA256=4CEB6D2FC48D8467F7018F16B0FE5FEDE2EA05C219134C262A3D4D3945AC7525,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457093Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:33.472{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457092Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:36.157{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E88E5A3A38A58C9F5C5DE7C8FF70B94,SHA256=B07168E1C71B01AF7EB6C6F34E7407C7F95BAC7338610C646DA088BFCE34F556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401986Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:36.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACED530E339847CCDD46578324E53C91,SHA256=A6569B98F5E64510F7F1BD14F51935AFED55A660AA31631E95ED1D751FD31A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401985Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:36.217{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E69082D0486B06E8F0CA599880E817,SHA256=63F3A46450E9DF2CF920D8E30D03699CA9B71E2AC066198E90E26F5AA47F6A8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000401988Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:36.264{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54157-false10.0.1.12-8000- 23542300x8000000000000000401987Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:37.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3A8BA4C334DD0FE4FD251D01883240,SHA256=C7EA1AC035EF84526FFF988B1AAFA7D41106BDBB76E9CDFB099A13F2599F0E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457094Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:37.172{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2FBEDE2C0991FCF5A3CF18277CD95FA,SHA256=E54D2DB29367EA5713DF8E21A71671D4AC9AFB0A6802A1F9EE89D5DC5C0BF27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457095Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:38.186{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6AB6D1E57C18B61F0F302E7D14552D,SHA256=0A3F4DF0CB3D43DE10015763BF403AA6D5A60D5761B640540B8754A9EF667226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000401989Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:38.342{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A38860F24CABD64D2AEBDB41481F5FD,SHA256=1CD3DA1BB08A4FA536C0220549B4E4E294F8BE653CEFA845E086FF6F7433B4E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402018Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.920{7F1C7D0B-0DF3-60E3-1B0B-00000000D401}33563096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402017Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.717{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DF3-60E3-1B0B-00000000D401}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402016Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.717{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402015Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.717{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402014Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.717{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402013Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.717{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402012Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.717{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402011Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.717{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402010Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.717{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402009Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.717{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402008Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.717{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402007Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.717{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0DF3-60E3-1B0B-00000000D401}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402006Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.717{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DF3-60E3-1B0B-00000000D401}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402005Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.718{7F1C7D0B-0DF3-60E3-1B0B-00000000D401}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000402004Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.436{7F1C7D0B-0DF3-60E3-1A0B-00000000D401}9321328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000402003Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.389{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F42BEDD746EAF4E2113ED17B37B92A,SHA256=EE3BE796D604EDAA1CA595B441951D91C9B26255477A7F4412AC81C3B5D48F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457096Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:39.218{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC89FA64D3DE45F0883C1EC3841D29B,SHA256=F8D5D008CD3AD6D07E96AE2A8A4288E020E8DF6527AD9ACA8B1FFC2DC01CB66D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402002Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.217{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DF3-60E3-1A0B-00000000D401}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402001Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.217{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402000Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.217{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401999Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.217{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401998Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.217{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401997Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.217{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401996Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.217{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401995Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.217{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401994Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.217{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401993Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.217{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401992Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.217{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0DF3-60E3-1A0B-00000000D401}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000401991Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.217{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DF3-60E3-1A0B-00000000D401}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000401990Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:39.218{7F1C7D0B-0DF3-60E3-1A0B-00000000D401}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000402047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.889{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DF4-60E3-1D0B-00000000D401}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.889{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.889{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.889{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.889{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.889{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.889{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.889{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.889{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.889{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.889{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0DF4-60E3-1D0B-00000000D401}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.889{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DF4-60E3-1D0B-00000000D401}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.890{7F1C7D0B-0DF4-60E3-1D0B-00000000D401}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000402034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.612{7F1C7D0B-0DF4-60E3-1C0B-00000000D401}18243020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000402033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.405{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CB54A0213BAFE8D88C38FEF64D65215,SHA256=C16C63172A884F75DA2BFF0E7842C319EF85E7CC10F270359660CD4D69DE8281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.389{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B03F33E924C6DA9C9E0BDD0B33FB9C,SHA256=194CCBE24D552A38A2C8BC4EEC6459B917695BF30E70F575BA38858372C3D38D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.389{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0DF4-60E3-1C0B-00000000D401}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402023Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402022Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402021Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.389{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0DF4-60E3-1C0B-00000000D401}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402020Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.389{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0DF4-60E3-1C0B-00000000D401}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402019Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:40.390{7F1C7D0B-0DF4-60E3-1C0B-00000000D401}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001457098Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:38.485{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457097Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:40.252{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B0143F0A3B2B3CC2EFA70DCFCF76DC,SHA256=1F0EB8042EAC45E6586FCA0190D480ED9BFFD9DF7256F476B9B6E6B84C5EC605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:41.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ACCBE26C67BD03F418E282025EA13F,SHA256=AD6EC9E6962EE3EF6D3E3336270CB6504A03B045E6D09F884157EFFD1374D4FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457099Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:41.253{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220BFB86A36D4493D145BAB6752D825F,SHA256=A11EE7AD8C242285CE77108501561FFCAC1FA6E430BD5F287800456FC884B6E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:41.296{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54158-false10.0.1.12-8000- 23542300x8000000000000000402050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:42.530{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A435663F3DFBB66EE434F8D374BD4FB,SHA256=B7132731437EF3E025445E311BF22A05E45965784386CA1A3691201496AB5FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457100Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:42.267{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C552E45484DAA3FE0E4588EBFC6C0512,SHA256=71E357335F3263272EDDB44D98B89EE200B00913DD43C3F7683824C19B1F8D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:42.030{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B9E90CB9946A576BBEA1B7C0C150917,SHA256=7C019C4F282CCB82E560DC8214001F2AC86F322A84BF7E63CCD1432BA5684853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:43.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1438411E65CD628B34EE293999828D5E,SHA256=E01B9988C198A21DB54410C250F8836C21B4E35F3CD69134DB23BF4AE5A69A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457101Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:43.283{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F72D0C69E94316B183427C1B586F6F4,SHA256=536F9FB5B4132D00A2B6E34A9AB7EE59F55F135EDC25EF1A23D6B4B1C1B77377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:44.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A45E27581255F6ABA6D5E8D226B1F5F,SHA256=FE8093F5AB73457B3536A7995326D10C284A20B0617E86C578B91291566EDFEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457102Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:44.298{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CEF05782693F34B09B8A297C469454,SHA256=7C126B797E22D05E77AA2F1B198FF270F51B2241430E7A5660A6CC2837EA439B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:45.702{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AE299EAC0AFF47E070E6B92A0D7D8A,SHA256=09C6228D0A4941FE0FA2B2749F01EAB0B0FA8BA677D5E388E164B46E93F0A56E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457103Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:45.315{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908BEC338BD6077A3962FB1266FD1DAD,SHA256=9C990497302F7848C8026166066B02428A2D4DB0CF328F84058B75E18E598EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:46.795{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4AA330BA96B256E745C9096C9F258A0,SHA256=769AE883B8660C83490311EBFD3C9D0E69E00FA91A71227963361F6E952417D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457104Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:46.349{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438FE83C9863B45AE0105F9E4DAC323B,SHA256=D4BF8E4F49FC2EB539ED415F8D5CEBD3D4F899B3DB9BD808A5FF92A9C7B47543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:47.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7545DC50BEF6984DAF3B0AADDEF6FEFD,SHA256=59FC515B78503F92D20D0C403DEA04BAF098D009D4F26D527756D5CD14B7A2C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457106Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:44.512{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457105Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:47.379{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D34D8C361D086D37690F2C5E4AC963,SHA256=9141CFB740703E41168897A75F543613F412615C0F662CABD026F2FAEE5282D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:48.969{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08DDD7FE88AC90227DB7838202C98CE,SHA256=AC4CBB4530C85EDD07A38D857CB7308531BA89ADC95E5AE2CB14136DF7CA19C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457107Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:48.413{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE3C0A88FA799C5B3CBCDBF3B97DEA4,SHA256=69DA0FFA886DF2CD02A31D46153E9FE24A8FD7A59BE60AACD95FDAB4B6DDE634,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:46.296{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54159-false10.0.1.12-8000- 23542300x80000000000000001457108Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:49.445{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A65D2783C3CF09BB4A23AC617581142,SHA256=1860AF614F9C8A323E308C7459BFC81F265EB6D7BAB671331444627E35BFD5B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457109Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:50.460{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=310B471DAC1497CA740C04C2DB33ACAA,SHA256=1995301B0A7F8DCD44969AF70553B893C89036095A8D94F51229C6F8A4F6D659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:50.142{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E9E052F666EFB14E314F00F0CBEB7E,SHA256=AA34A96E8C1B8CA0EE8474C1BC92ECAA0B67BA97D6771282CE269C84D5296892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457110Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:51.475{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6880971B09FB6798370C1ABBA7BAA5C5,SHA256=B28F808A1988CB667D4FF867561ABFE463842F4943C0BDB2887742544E17F267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:51.151{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF20789E9CC5E47D5A2101A4D4543490,SHA256=4C6A59F9ACD044962B9BE8F32B3BE676DF3F38E0EFE8A64F21FB0FA22E7FBA16,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457112Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:50.506{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457111Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:52.489{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F9FCEE8549AA56F0AB65512C11EB4E,SHA256=C05FC4500FE1EE71B55F68BB96B7BF039B505FFBB5B864F0F2256728723CFA87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:51.480{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54160-false10.0.1.12-8000- 23542300x8000000000000000402061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:52.167{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E60CBDC729AC8478EF75CD404BADE44,SHA256=324532CF8F60973E09275EA426E7358CFD8F899F5130ADE954F92061B3E90CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457113Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:53.506{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84034FD54482033588C7908DCD38DFE9,SHA256=3E18234B006F4A7FF5DA795E61D8F7A55751401BBBE18F39F825BC943EA0825F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402063Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:53.167{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909C6F72850BB0E40F4E366371CABCAA,SHA256=55C53A99FE5F558E6D81B99006A6AF33AFDAD5F170D14967A5F5ED1386D1DCBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457114Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:54.524{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184F31E37B50575DD42A6D03CDB04CA5,SHA256=263EB49A6E260F9FA04C2FEBA165906E5C0850938856ED63C87AAF1FEF551A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402064Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:54.167{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B78153414BCEEC77749F50B8E23EF74,SHA256=E8E64F804AAD5CBBD0EA31F147B5E2A6E4F629B51F9942D70E420882C9286CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457115Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:55.539{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D033021CB68417A77F061495CDCBDCD,SHA256=613436518A1E42ACAD76B7C9E67C7A3C54E6A6BC0ED1301FB15361DD7358309C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402065Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:55.167{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240DD6EFCC58D2D7DF056CA27A03F066,SHA256=228F395E0E8D0A0286FB6E726C9354063D193B70CE6D6CE7319BA68028ED1073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457116Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:56.585{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4335979BDE6AD9DBE841D89BAC6C458B,SHA256=C580FEDC92B9CEE4612D9A7DD2069A607194C9995631E8AE6B1BA8C513E59004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402066Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:56.167{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A20A18B716CF4A8C657F8790FF3245F,SHA256=251B2BAE94731D54C83085CC42C38A596A35BECC8DD57D29D7A22A36D4311F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457117Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:57.602{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3067EEE1475D28A2463EC97E2803AA44,SHA256=3DBD7E025F47952F6DCDC4B79ED782426C9DA1D467F1AA33F4D3E90420EEE32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402067Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:57.198{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A4561725D1AF6D01E5B7CBF04F36EF,SHA256=A5BA5DE3FB0D7C67C1D67BEA5E037B2DF088F09B5066CBEB2191892808B2A8CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457126Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:58.851{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E06-60E3-AF0B-00000000D301}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457125Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:58.851{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457124Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:58.851{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457123Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:58.851{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457122Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:58.851{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457121Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:58.851{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0E06-60E3-AF0B-00000000D301}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457120Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:58.851{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E06-60E3-AF0B-00000000D301}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457119Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:58.852{D694AEB8-0E06-60E3-AF0B-00000000D301}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457118Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:58.620{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3779F6CAE1DB4F4C4F2215CD5BA0E8FF,SHA256=01B9E69E56FCFF30D3F2FCD98CD75EEFCBF9E479E1EF139D800A094E69C2880E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402069Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:57.433{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54161-false10.0.1.12-8000- 23542300x8000000000000000402068Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:58.213{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD5E8622FBBA8B2E62F58FF9AB17C36,SHA256=AC9B283E2EDBA0415F743792BCF95297E4A7A4DDADD33C9FE0E8B74F0D5B39BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457139Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:59.865{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D34D900A4BAA47AA1EA917E05A3A846,SHA256=BF323B7690B9B7DAE056B1FA773DCD67814D1949200E4D2C4610176D6DA4D635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457138Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:59.865{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=003790C7B2D7F4D6C3B008582623ACCD,SHA256=534195938793EA1E44CBD9CE14CF576E913641FD2F4106165FA4F6096A2F6194,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457137Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:56.500{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457136Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:59.634{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2F2185A2837B10B4C3408A34EE5A66,SHA256=DF337A89157648E4F9B52FB2A46D5167C8958F6548815325E665A40601D7404B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402070Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:49:59.213{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822C2A5788957874E9E2C843357206EB,SHA256=28A20897500100747B9C9BC80BA8586FCCB43FA29FAA92432E05EACBDE696D06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457135Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:59.519{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E07-60E3-B00B-00000000D301}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457134Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:59.519{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457133Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:59.519{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457132Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:59.519{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457131Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:59.519{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457130Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:59.519{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0E07-60E3-B00B-00000000D301}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457129Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:59.519{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E07-60E3-B00B-00000000D301}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457128Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:59.519{D694AEB8-0E07-60E3-B00B-00000000D301}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001457127Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:49:59.004{D694AEB8-0E06-60E3-AF0B-00000000D301}17646920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457148Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:00.864{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B533DFA70D879C75EBE9C56837E0863E,SHA256=EBDF042B8F544D8022CBA5D3B89E770D363577E755386BAE4EE8C65FAF73F3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402071Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:00.213{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD270406F16E91C11D4EFB6F17B1A03,SHA256=8511019F68A6EBEF0BF45BAAC39AB095CCD7A4D8EE7902EE11E5BF4D6385FB9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457147Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:00.201{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E08-60E3-B10B-00000000D301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457146Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:00.200{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457145Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:00.199{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457144Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:00.199{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457143Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:00.199{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457142Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:00.199{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0E08-60E3-B10B-00000000D301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457141Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:00.199{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E08-60E3-B10B-00000000D301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457140Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:00.197{D694AEB8-0E08-60E3-B10B-00000000D301}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457150Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:01.879{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEE08266E5E79F94EBA83C5A166EB35,SHA256=078009A6964D4C32DE99BABD7A48B0A46A4CC1A53DE0E1FB7C6B9441F9E93F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402072Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:01.213{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8751C22458BAF430FCF3D4DD0B0B550B,SHA256=B0635E665F5ECABABBEBAEB7891065E4C3589AAF20ED3437692CCE41A7EB7593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457149Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:01.232{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D34D900A4BAA47AA1EA917E05A3A846,SHA256=BF323B7690B9B7DAE056B1FA773DCD67814D1949200E4D2C4610176D6DA4D635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457160Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:02.879{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BB01AF28F85303D9FDBA903331237A,SHA256=A565A988B418AF7D02A03539562F0B848B5D7CC1B9BAFBAA77F07D44F3FBD647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:02.213{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C652006BC636086D187ADFF051FC4A,SHA256=CD53458A17554EF101FD4345804B057BFD565E43511FC565E8527BE2F61ACF9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457159Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:02.716{D694AEB8-0E0A-60E3-B20B-00000000D301}58086532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457158Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:02.515{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E0A-60E3-B20B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457157Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:02.515{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457156Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:02.515{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457155Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:02.515{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457154Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:02.515{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457153Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:02.515{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0E0A-60E3-B20B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457152Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:02.515{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E0A-60E3-B20B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457151Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:02.516{D694AEB8-0E0A-60E3-B20B-00000000D301}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457179Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.900{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFA1A47E13C3F09372F4098D3E3D64E,SHA256=26D3A1CDEA3ABB91744195831787003E180E1EC52D41192C9001C9A673AD5328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:03.213{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED79AA5B4A47AA8574D6DF7345F8140,SHA256=BF0A9D4AF9EE71B006028AD19A4251FF999068E7DA750FE0024743AF119A9E0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457178Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.716{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E0B-60E3-B40B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457177Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.716{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457176Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.716{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457175Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.716{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457174Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.716{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457173Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.716{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0E0B-60E3-B40B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457172Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.716{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E0B-60E3-B40B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457171Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.717{D694AEB8-0E0B-60E3-B40B-00000000D301}6380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457170Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.547{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6356DD1F3B038CE2D8E584C36AB5CBA4,SHA256=5D7AFD744A31B43B42F167958A04AC18F1E115277B061BAA6B77D0CAED86DC35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457169Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.248{D694AEB8-0E0B-60E3-B30B-00000000D301}52326624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457168Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.100{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E0B-60E3-B30B-00000000D301}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457167Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.099{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457166Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.099{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457165Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.098{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457164Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.098{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457163Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.098{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0E0B-60E3-B30B-00000000D301}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457162Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.098{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E0B-60E3-B30B-00000000D301}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457161Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.096{D694AEB8-0E0B-60E3-B30B-00000000D301}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457190Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:04.915{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2415C1D0EAF6DECE71A69EA04F02F922,SHA256=9688762A8D8AB333A23DF8C4DCCF975399458517F0B8DCF7C4BB1678F3045C53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:02.433{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54162-false10.0.1.12-8000- 23542300x8000000000000000402075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:04.213{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12581CB6F7CA5BD4BF88516EE9DD8E9E,SHA256=9BC7DECA1B137A6EE6ADB1F797C7A54CEE209F099F4A1A2FEBB57803DBA49047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457189Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:04.731{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F2EF8FB82C03F34D1DC21FA6A08B99E,SHA256=0422939AA783B9220B7C4141A2FD62C35E7A3A2CF839B25E949E833DD69C5252,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457188Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:04.531{D694AEB8-0E0C-60E3-B50B-00000000D301}3624736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457187Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:04.398{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E0C-60E3-B50B-00000000D301}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457186Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:04.397{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457185Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:04.397{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457184Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:04.396{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457183Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:04.396{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457182Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:04.396{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0E0C-60E3-B50B-00000000D301}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457181Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:04.396{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E0C-60E3-B50B-00000000D301}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457180Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:04.395{D694AEB8-0E0C-60E3-B50B-00000000D301}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457192Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:05.945{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127865BB6F60CF997D82BB01CD441E96,SHA256=D8C0B278D9388007543E2EBB44943BC30711B8B7194E1914844B493DFB737A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:05.213{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B107F43C31FCF0422C54A0C4CB45E53,SHA256=C35E5B32428095C960F71F5C10CEC2834BBC298B183CA4A64B217DC4D94354BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457191Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:02.494{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457195Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:06.960{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEE652E0CDD8679F824A3B9C314EC6B,SHA256=4058EF0B4728962FDB247B5927CD6A3DE3542E8C06DA1F3A321D281F40F39E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:06.213{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07FBAA7A3A8EA4D6192BE4C0468E4FB,SHA256=9F2133C476733F65C95532440632DF8E256092EF5C4642B6D15A3EB9218DB611,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457194Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.525{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61205-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001457193Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:03.525{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61205-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001457196Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:07.992{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF0AC5271E63C14F9995EEB28C6F4E8,SHA256=E6689852261F65839FFEE57988E0178D86E508950503D68ED5829C71C20862E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:07.214{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EB45700AC7E8722BA38F7E99F0C044,SHA256=7E3CEFC589F92B5B8E34E1866A5374E2969E9A28ABBCEB0CF20D14CBD1D0E417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:08.229{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8562F567ECF09719F819453F7B85AB9,SHA256=1686675D8C6DFBF1A74950423391E20A47199EA289D793E5CEDC1F385A476968,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:07.433{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54163-false10.0.1.12-8000- 23542300x8000000000000000402081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:09.229{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D09EC27D5346E16F18851BACA89CC5F,SHA256=2F7E026CADF2E169C953854A1D8F62C9C51939650312DBD82318A55E57B17AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457197Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:09.026{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E404981BB7BFC29A27205B46391FCFF,SHA256=AA0170160A350F78C0EF3E4521D91CD19791C3982F1CDECFEC202FF37A43424F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:10.229{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9DDF37C0C65171855B600A459F4E12,SHA256=DB22057D99122D8E187E463A951FDFCDAA5303B594F3C4E2944D0864BAB8C22A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457199Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:07.574{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61206-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457198Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:10.028{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F382C6CBF85A141D0D902BB6E8048E,SHA256=0CF30AE6857BE79EB441A7FA3BB4B9AE3970CEAA9A539EA875A2E0E8C46A54FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:11.229{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AF696F269D200DD7E17AF91E7AF4E7,SHA256=398875F1809E7F66E17837B192EDFD9EFB39551E0652E68679BE404140920110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457200Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:11.042{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3ABAC66AD53BEE24F66989C98B2B692,SHA256=853CFBE0641389FCA5ADED4DEE8362A77192E1D26711F9337B7E0065BFCFDE42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457201Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:12.056{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31ED7B24BB4CCC57ADBB17157EA75720,SHA256=D3B09F3A1F95007F0F639533F63AB3CECA0EBCFEC8383A5F2941F25C6C344C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:12.229{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5FF4A1EE767065ECAF0748C999D0913,SHA256=003AE49F5893B0DA7754A17C9E6909C867D852CCC6473AFC4F0218CF981130D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:13.229{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FB6DA8D7FDE4B99A3CEC76E41282D5,SHA256=BB06FC7C42869C7CC23D91156C2A5DFF98F56F02E13B5876CE4534DE2ED63C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457202Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:13.071{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739E0B784D8E389154041A3FEE1B63B4,SHA256=7D2941A10716B3661FBBFF9CC493F4DAB0F139DDB48037058D6B9B97A7DB955B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:13.417{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54164-false10.0.1.12-8000- 23542300x8000000000000000402087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:14.229{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57EAF47FA30B7C062FB24AA70EB2395A,SHA256=CBBDD292B5F00840E7B0E316500CC8AB23E7B67D88827064F45D2804E762324A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457203Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:14.088{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31A8E52ED90483FC61D38F906A24677,SHA256=CDC697848E367E9F6175A95CDD287CAD7203A525EAB754FA0D55148A167532A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457204Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:15.107{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892C3BAA9D04D5E150B1BEFC10C931DD,SHA256=F497E06C15912299489E4A4BBCCF5373757AE14012FDDD32978A222047200B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:15.229{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9348A1FC72D1D1B1DC81D9505F05D56,SHA256=ABB1FFB2DF484E6B265A0B508FEDE6B2A4F29917ADB5AC51243506C7734016E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457206Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:13.585{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457205Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:16.152{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18E4D8318648C49410565FFC084547D,SHA256=6364CC291468872C5EEAC9E17774CD25A9F82DB954F2E78500B1E97905C324CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:16.245{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CE41ADD34B1C1B3A7A4F435100EE05,SHA256=FE3D197FCEBB1CCDFDE2249882668B42882DB24B9722F9D52DDA2FC5F0A3708D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457207Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:17.185{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8154C1C47DF0D6B8E0746B97F4120A65,SHA256=EE168F9D290615CD41C0CBD23C2286015416B9F264BFC48741F879A9C2EC11EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:17.245{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB26F4CC858B04DFF370A20FEE3A7C97,SHA256=46306027269C948C7AFBAB633B3BDA9DBF8C53EB94E9389844DD891D7380C82F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457208Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:18.219{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5D2A67DE70F4EAB74A98B1667F5CAA,SHA256=3430EA8E354C6F83A99F12AB981EB8EAD7740F5135A7ED7D5C0A3B5D9AF53014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:18.260{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C1FAA0721F858370DCE6BD12E69914,SHA256=AD5130004F6F8BADA1227EC6AF97F6EE1DC224CBF254EBAECE4948A9B4F43154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457209Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:19.220{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755F6A2B3367C7403E0ADCF5B06077F8,SHA256=DBA37043B78B05FE55FF241AC721655B08A17F122DC167CB574C26DADFC9D437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:19.260{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694D72A7560DEC51077ED1C36B9EF8FE,SHA256=4A3AD626C818322688C19569D55D9203C49555DC5AE8C57556B2A64FEC6AF693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457210Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:20.250{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D5F1F04A3C535C384588F811A9F90B,SHA256=A0C639D7E6B525D8EE67B2B2285254FCB98FE4C9F59C19D92C69F3AA52D123D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:20.276{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45E1F55F1F0C89EA3FF525588FEAC02,SHA256=88FAD756CE698908C1F1421E75E304E6661A42F408268EF0B61E63D8963A4E5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457212Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:19.612{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457211Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:21.265{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B2D1105BFC346FC9D81EDE2BA3B936,SHA256=B8F8B7166783A0F608C2DACD4E37D48FA573A55F5BED6D179C33D88C7256BED2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:19.402{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54165-false10.0.1.12-8000- 23542300x8000000000000000402095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:21.276{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DE310AE7BCCBAC1663BA7B266C9C1C,SHA256=6748D9C7306E9B2944D3282B9331CC9E2CA1352FFDA8153E7A2EE4893E6710E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457213Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:22.283{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A1EA9D062D042B44C5567428F961A5,SHA256=03AA2B8594E02F0D1754924DE61CA360FAC9A94C333FFB00F8A2B3FAB4343780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:22.276{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B5FE8C366C23F04C320EF380E72AAC,SHA256=C7B738C0C99BC6C20F5A728D402483F986A163A16CC1B5B0D14DFB4A5196C369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:23.276{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40E99C160F9AA0F4B52D51D17C50C46,SHA256=BEA51C1A78AFD144259A5D3CD52D6D9133B3DAFE1E06552E36B90CEBA5E0AF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457214Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:23.300{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62344C5F827A49EC4A001771FA2AFEF,SHA256=7D915038895C87A7E1A9CB47CA085BA077349FB0C3163A59EFCB133F2DF0511C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457215Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:24.331{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D99238FD32BCA6CA361D917734B96BF,SHA256=CC5704C454C8AAE636AC8F8A159015B9A09BE5EFCFF644261C3525CC21A3A7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:24.276{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF469E0270A67785869DD2FC294BAEA,SHA256=9FCBAAC4444F00C8023FF1D23002B6E366061279E40EF83C41C11C87A6FFD07D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:25.276{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF0B36272F3DBD4305A846FEBAF990E,SHA256=4D0AA9CCACFA21581C6EAD8AD2D28AE5A83906BA78F87C955C9595A0AD58AE18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457216Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:25.345{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1B296C9525C9FA13643232EA86235B,SHA256=FC525DBAC32CF5C4369C64EA5C439F558F9F224170BB708ED645D30A2D7E0F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:26.417{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=338E72307FD266B0190B55230CCA6E46,SHA256=6671A9515FAE390B7464A70158DFBE26E6A36F031872D750C2FC455CEDEFA97A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:26.276{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F62EB344EADF0C041888130D4B645DE,SHA256=158ECE8BF3C9E8AF12879D9477E8BE4E2F4816832B4EE4FE8DB93D894411BFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457217Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:26.360{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5553C0BAB11E1D7CE186E24595E773,SHA256=2C1926A700B58B42C6B5945FE7E875688FE597D1A862EB48F8053824056B75D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457219Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:25.622{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61209-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457218Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:27.376{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95A09872CE54679DC4783ABCF7A11F3,SHA256=386FAB4983DE1BD87C4BDFF05B5E0EDC4C5D2F29B89B842CB2F7FF1821ECCB50,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000402114Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:50:27.793{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000402113Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:50:27.793{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01609886) 13241300x8000000000000000402112Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:50:27.793{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719c-0x546c445d) 13241300x8000000000000000402111Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:50:27.793{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a4-0xb630ac5d) 13241300x8000000000000000402110Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:50:27.793{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ad-0x17f5145d) 13241300x8000000000000000402109Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:50:27.793{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000402108Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:50:27.793{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01609886) 13241300x8000000000000000402107Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:50:27.793{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719c-0x546c445d) 13241300x8000000000000000402106Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:50:27.793{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a4-0xb630ac5d) 13241300x8000000000000000402105Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:50:27.793{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ad-0x17f5145d) 354300x8000000000000000402104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:25.371{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54166-false10.0.1.12-8000- 23542300x8000000000000000402103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:27.277{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9ED63970A8F61490A42467930EF83E,SHA256=97A3C76DA42AE0695CE03B9B8DA3A4EF3EDB4D4C8C7693308745A093E28BAA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:28.277{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889EF2BAC3E0A96EBCE2DF1636F7CD04,SHA256=BFDC3B759D1151942CF783FA92EAA1FAFB37FFB80E0482E9FFEBD6D1E2C4F1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457220Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:28.379{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896BA3BDD71C554AC8B0F101B45DF260,SHA256=0A0A85A03F9B4ADE931B1984A09BB18DE34C1F8208CE534AC3D64D1028E86ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:29.277{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F694BDDFD24CAC704EF1111FBC139D21,SHA256=2AA274B4D96FDBE4B0DF053C31A12D42AD394F1E97B43881C45BE66865CACF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457221Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:29.394{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D927F20FC8B4AAB7F2416BD558AE77D4,SHA256=B44B075A1410D61572AB57BD90B9ECC87905829DD955E42B0F40844CE73A1BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457223Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:30.976{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457222Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:30.408{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F890B5204D7A82B35C6871ED8D8F95C,SHA256=2DC17CF1BA44CAC156B67CFA2191082D238620F743BF8BEDAD636645617745A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:30.277{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066BEEDB80DD9D470FDC30C43BCB9B22,SHA256=3319A6847536D0A04A2CEE50515D12EB8D16A27FC806D29780EFB480EBBF06F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457224Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:31.438{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18AB840C201F37A135209C5D63420F6,SHA256=777FBC97437DB207C9A0D7D9C39B05DDE3A928A832C857B03FF1D1EEAEDDA90E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:30.372{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54167-false10.0.1.12-8000- 23542300x8000000000000000402119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:31.605{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:31.293{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5814B756F763474A01F3D4CD2FF79A,SHA256=6A21F04DCB55C85B90D9D4544D6DDDAF572B1185F3822DD02609C8E6C5C47F79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457226Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:30.417{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61210-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001457225Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:32.470{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB54BCB3FB02AB56C56FFA3E4866C02,SHA256=08CA50D97F6336AAEB09D2B13AA9644398509D813B1066284E16513EE5C05185,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:31.158{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-58850-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000402123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:32.543{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB970AADA7A6BEBFABAA709BB36D537D,SHA256=0E92E2D860692E21E39C6C079DEDD6A2EF13286EBB7FD92BA362046E09D375FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:32.543{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=602B97DE4D8263584A9F71FE66C384A8,SHA256=607F8CBCE4BDC83E19D6BA8A0BECBBEF647F50EEEED7BE8449F2AF21AF8E5822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:32.293{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58270DFA459AAFF9C1C50C80160F083B,SHA256=4C86AF9064F662C88B58390B5A7631255154BE8980ABC4BABD47A04735E97827,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457228Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:31.615{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457227Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:33.489{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399CCA4092E35E0189EA25AB60264CDA,SHA256=2209346A71CD2E60EB4DA4C00D53113715D0205145D12E3CC0036BBC03D05BA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:31.810{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54168-false10.0.1.12-8089- 23542300x8000000000000000402125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:33.293{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750A7B30C0C0A49DCFBC012958119C42,SHA256=548DC2CBAA64DFBFDBABC747811F3948997210F48CC9837B843BA4C02810B752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457230Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:34.519{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93FDBAF02164462C969F613D688FAD8,SHA256=AE0AAF50738CD8A1E9F21BC7ACBEA02B4671949D85F19D1FB12F296FE0192779,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.590{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E2A-60E3-1E0B-00000000D401}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.590{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.590{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.590{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.590{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.590{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.590{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.590{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.590{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.590{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.590{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0E2A-60E3-1E0B-00000000D401}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.590{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E2A-60E3-1E0B-00000000D401}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.590{7F1C7D0B-0E2A-60E3-1E0B-00000000D401}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.293{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9595FEE3A282DAD4567FBFF4D7EA2C9F,SHA256=6F96032948210A8360633C9F83A0F4880AB351A2B40BE555941900B8856636D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457229Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:34.135{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5EB8BAA3FC66B1095B8057E5A6F7E616,SHA256=130BEC34899726F9CCB23602E7F363DB0EBAB9E3F86EB75804B801102FC116F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457231Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:35.534{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2B049F2FAF83453598FD817AE5CDCA,SHA256=B6D4BE2E60EBB0B29A012A31839ED3882D5D7CDEBD76C020EA960F2E97484535,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.762{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E2B-60E3-200B-00000000D401}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.762{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.762{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.762{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.762{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.762{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.762{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.762{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.762{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.762{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.762{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0E2B-60E3-200B-00000000D401}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.762{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E2B-60E3-200B-00000000D401}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.763{7F1C7D0B-0E2B-60E3-200B-00000000D401}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000402157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:33.993{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-52750-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000402156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.590{7F1C7D0B-0E2B-60E3-1F0B-00000000D401}10721560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000402155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.496{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E549256170241C129DF2919EA2301D,SHA256=2B48D339C726C42F6DF32692C282C0AC7AB1877408B412F13FD1505910442E31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.262{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E2B-60E3-1F0B-00000000D401}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.262{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.262{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.262{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.262{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.262{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.262{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.262{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.262{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.262{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.262{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0E2B-60E3-1F0B-00000000D401}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.262{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E2B-60E3-1F0B-00000000D401}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:35.262{7F1C7D0B-0E2B-60E3-1F0B-00000000D401}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:34.996{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB970AADA7A6BEBFABAA709BB36D537D,SHA256=0E92E2D860692E21E39C6C079DEDD6A2EF13286EBB7FD92BA362046E09D375FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457232Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:36.549{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B18CDDF669D66C8B616BAA494CE073D,SHA256=AD30E83345E672DBED418D5D4B3F2831E20891F7F65EE5DDDA067C1D93CA00D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:36.496{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCEF600153429F4E43193CD04240DC08,SHA256=64DC62E9E77821F0267B9CFA00EF7E465AADB96264F1B9252B970F48BEAB6148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:36.293{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=464464BC7B1331A56FF188B1F9A13F26,SHA256=CE2B67A5013A28F2AF37052F39C787233AD1FCA17622683FC613027C9B71CBD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457233Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:37.567{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FD42ED96B729D9DC64EAEAE2C3C013,SHA256=6EB8E74A059BA72951EF67179D1B4C6E6FDCC3B0065CB527FB33009A2D39C0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:37.605{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7459913A1B6650D5ADFD4CC8FC41E27D,SHA256=C82B46A59A7E4859D8078482626D29191D7BE6CA1CAFB80AEBF5B978574BD1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:38.762{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A250585865D5A37008BCD09F1D2A60B6,SHA256=3E136BB8E5257C409116E473D240DBC69FB7CC11C39D8C4E583BD9D5C7745A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457234Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:38.585{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F067A29F73F4A0F50B874585A90DDA,SHA256=381CA10D3FE5DEA0BCA471661DCDC1A690A54C4C69994C534CB98083B4E80EDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:36.388{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54169-false10.0.1.12-8000- 10341000x8000000000000000402203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.980{7F1C7D0B-0E2F-60E3-220B-00000000D401}29243036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457236Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:39.600{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8060C8B4FF02058BB3810A48FDBC57F,SHA256=C88080A6261A81C12AD746614A1E2786C7D79FE82A0505A596218D0AF1D97CE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.746{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E2F-60E3-220B-00000000D401}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.746{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0E2F-60E3-220B-00000000D401}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.746{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E2F-60E3-220B-00000000D401}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.747{7F1C7D0B-0E2F-60E3-220B-00000000D401}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000402189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.480{7F1C7D0B-0E2F-60E3-210B-00000000D401}14403508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.246{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E2F-60E3-210B-00000000D401}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402187Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402186Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402185Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402184Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402183Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402182Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402181Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402180Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402179Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402178Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.246{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0E2F-60E3-210B-00000000D401}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.246{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E2F-60E3-210B-00000000D401}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:39.247{7F1C7D0B-0E2F-60E3-210B-00000000D401}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001457235Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:37.647{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457237Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:40.614{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F162F751D405E08770EAA8329558809,SHA256=E84E13922C619605A023C5E13CF8F0B7F44882F7F26914D22F13313524DFE713,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.746{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E30-60E3-240B-00000000D401}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402223Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402222Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402221Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.746{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0E30-60E3-240B-00000000D401}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402220Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.746{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E30-60E3-240B-00000000D401}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402219Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.747{7F1C7D0B-0E30-60E3-240B-00000000D401}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402218Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.277{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=613334CEDD26CD8EC1418BCF35E03C0A,SHA256=C230B61DA88E918BDE5372B4E63457651ED2BA6C806E6547ACDF8FF2CD687CF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402217Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.246{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E30-60E3-230B-00000000D401}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402216Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402215Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402214Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.246{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0E30-60E3-230B-00000000D401}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.246{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E30-60E3-230B-00000000D401}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.247{7F1C7D0B-0E30-60E3-230B-00000000D401}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:40.074{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CE6A2EE19F0509076D3E7E986660EA,SHA256=96865A8A3DB007B3AAA228BCED3B964419505453795B54E4BB8D141D1D42671D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457238Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:41.629{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A9D147E1845AA86C4AD64B19CD2AE7,SHA256=D21A3A65CD7937366B8471302A92F8AC2BC37E2147A198D60A80536334BC76FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:41.840{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F700A2AF9BE19D454473D7D8B77DAB0,SHA256=71DE282AC41AA1788996FB9A180B1EA8709437D7E9B7C291BF28D971129173D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:41.433{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3960B5149AB9E10EABF4933270DDF7B6,SHA256=0C95C33C82A2552B68989ABE70A7A9F2B0FE0D47F8C18005907FEB2A7079290C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:41.059{7F1C7D0B-0E30-60E3-240B-00000000D401}6482624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457239Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:42.643{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FD9212F1D5FDCF9F343E9AB04092D2,SHA256=D3C6672D0CE795A3F04B788055509731AE03752B1F57EF49547B580B97EC3765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:42.449{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B151B13C6F3102CE9DE16F800AA59031,SHA256=EDFBF22022649F382231E29671B3119F8EC9856DDE24B2999549332BC2CBBE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:43.449{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8EAF9D712C9D416B8658F570AC5012,SHA256=0A3D6D3617E2AEAFEC63B4822CE861DAED3D0B3335B5DC069195B8601DA6CDF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457240Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:43.659{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E8EA65B04C2E6269147041767D0D6F,SHA256=9DCF7019CB840D19F55706DB75355B81144B22F3AD0285A941F15BE50E61209B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457241Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:44.678{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4808745FB2EA072B3F6CD40ACF73D794,SHA256=AFB43830E1C981948259DBBCCD4F9CB528FF970C8CD7737B681862F7607F1447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:44.449{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6AE158CB03A9584D9044F8CFBBD1B8,SHA256=2777A1687CF3C50E5CB9AA6FA8B84D0E4A90BE58AAB74AC8FDD5589793C4D550,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:42.372{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54170-false10.0.1.12-8000- 23542300x80000000000000001457243Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:45.693{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885000F3D711B170E2A7E702DE584184,SHA256=F5E2D02E10036B95E3B1A4B300C30B634BEA93BA97401552F6D641ED227F1808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:45.449{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AFA2ED5DD9C151B350AD3B9F641483,SHA256=BD89A31104A5B9CE65C9B26BE2A29E79ABAFF8E77BD6A3D0DE6B9CFAAF322194,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457242Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:43.641{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61213-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457244Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:46.707{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FAE0653D91B1D19C279BF54D8C3322,SHA256=C7776BB55FF6730A6F1679444CF4851FEEC62CB23AFDE76E560749F915E2D636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:46.449{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0BADD8C484F205C383857941350578,SHA256=97AB7ABC6E0E571EDE4D94406E5A04075D8E0549E6DBE7468976E5BD9524A5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457245Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:47.722{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501B6BDFD02238451BFE54603224793C,SHA256=92118517097AE269E7109F5968CA37344BDF59BA2E23237B433B8C75F856DB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:47.465{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFB7AD2401EF50B189727F93CB214B4,SHA256=07560F67639EC826BF10963D969ECFB0DA17F9E2982ECB9620C38E6A58E4C38C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457246Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:48.736{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10A7134EF8A87C48D8289AD6E4DA004,SHA256=4CAC0AAAC75E4790992785A58FF8A70E41B6693A6404AAED7BFD1699C1BE72EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:48.465{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BC049DF75861BAC0E3C7765BADD80E,SHA256=40F3EBA2248DA83D2BB17E42DE35D228E17D0963BE1AB058FDC47C3B87AA2BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457247Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:49.755{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1E91698831CFD03316D237B2FD56DE,SHA256=C17F23CE4A7F54597AC271BFBE9E9542E5861009B0A84A690B4508AFC58E7BBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:48.341{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54171-false10.0.1.12-8000- 23542300x8000000000000000402243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:49.465{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AECAF979542AC9FD55A61F3B542C798,SHA256=87153826EB3855E8CB8F583A221EB1A8550534E3496B029A1695FD4930B01C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457248Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:50.772{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2860E60EB1E212DCB769146A5E20DB9,SHA256=6416AD97D57A50B77B4673405C4A9D89916CF71D022D478B53EB51345ADA23B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:50.465{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4898EE944E8062FF3568655A821F2AA3,SHA256=78DFEB992E7AA8CB376BCEAEDDCB4D524C65596B8CF88D4E28B775C0C6C6D9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457249Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:51.786{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349DE5C1B134072ADA33B160E7895836,SHA256=F57DFDDE95E7EAA98F8C0D0E6E288D83EEDE950678D16958DD23BA222CA4FC97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:51.478{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CDB4C6B8CF685B75724CAA2D55C495,SHA256=D944453F01AE01D33947DD1D4A9F423F9F32B6E4AC876BFC03C31784DDFECA57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457251Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:52.801{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4B3E3F30EC6A2D3BB7C78F6E1096FA,SHA256=CC088968D8DFC8B1FAC8BCF309AD72EBD8386B4640C6865D1BE3378A627ED183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:52.480{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A0675AE8AEBD8DD92E9400297F5BB8,SHA256=7567A9890167BDF449E2084F3246B6593D7C3A1EED200A9FBA99924EBBC9026B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457250Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:49.650{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457252Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:53.815{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65CA308329F6041B85636CF5B90CF64,SHA256=51976F0FF46276A1A6F9969693F3D3DABEA2EDBC753202FFCE39D9A0B14FC4C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:53.480{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51406B816D737CC50856D234D749DD2D,SHA256=FCE290060419F432D9B3438DA6561202C5AD0EF0D6D076C3BD4166135B4BA78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457253Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:54.829{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6938A813CDF00C8D0264F6A27C9ED54,SHA256=F27D98DE77A5885610D9B578EA1FC6FCBE919EDBF70A04E86BAF1E06AE5137DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:53.357{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54172-false10.0.1.12-8000- 23542300x8000000000000000402249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:54.512{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3792B9279E4D1ED6E1751D5942E53F66,SHA256=AD4B55DC1E5D5AD8574A147DA42F62409267413CD595315455278D0245A6AC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457254Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:55.846{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB207173DF8BCEFF611F3D9DC074A98D,SHA256=8B8366889E36821BEA8A9E2F11C0E44643FD89735211476BA40618923AF906D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:55.558{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1537A326E1C8057E1E0785FDF1E90A,SHA256=21F86C0C91BEDBE9829B10DF16EA46E52E27A0D5E03F24F62775844820CB2332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457255Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:56.865{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5C040EFDAA9D536AD13E21C1997230,SHA256=6891B0952F25B1588DE076FE6A6FDA46403791F02A7D2B950603261BCF4406D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:56.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E9CF8E074C3E49617DD3C67EA2B589,SHA256=C0626B4E5DB91E8C12157EBAB4241763970F6FA25142184F762F6EF8B7A862FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457257Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:57.879{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C15CF486631B38423EDA88FEC7F80BF,SHA256=9890709A7D261E5F9668FE2C873720E4BB8FDD6C84D81ABCD39A4FACB4D3DBD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:57.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794FB68A5E527FCC0E7F8CD69960FA1E,SHA256=94336ADD1545F51990F8F93401D31E606A4523491FA8D257157E430FF4FF03C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457256Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:55.643{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61215-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457266Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:58.894{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C535F9DFFD1BBF5F7E3D80E21573E4,SHA256=967A61E95256DD1045674E82D747A9496518F902E4218FF2062A3A04F937CE6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:58.605{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EACDF3A7CB1E9F6FA2A40BCCA5B39181,SHA256=F8E79BA76DDD49AF46EEE59C70C4B2550A35285AB85CCA9D8E43CD4F678A3A49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457265Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:58.863{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E42-60E3-B60B-00000000D301}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457264Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:58.863{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457263Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:58.863{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457262Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:58.863{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457261Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:58.863{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457260Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:58.863{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0E42-60E3-B60B-00000000D301}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457259Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:58.863{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E42-60E3-B60B-00000000D301}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457258Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:58.863{D694AEB8-0E42-60E3-B60B-00000000D301}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457277Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:59.895{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25ACBF324AEF7DFC9A50674AC11687BD,SHA256=9D6B766DAACD0E5A8C2071619E7E36CBDF8FCF12C7F4C47D0BE4E76355C62B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:59.636{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B42C5E9E168EED79BC66C1D2EC28D75,SHA256=6CCF84AB325A137AEF0A3D4026331D675016AF35A80FDFB07086068AF80EB2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457276Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:59.879{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0450FCD03B8A6F8D200DC18CF6AD758A,SHA256=AAE43A8A164D8CC9100B3175DA0E8981590711CEEF70837DAE799C8B5BF2795C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457275Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:59.879{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6C6E9187C8145A4B9125C50B85A749A,SHA256=37497311D5204D9960F7D3605FCD5A91A9D4827197D3354944CA4CC91B7FE844,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457274Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:59.412{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E43-60E3-B70B-00000000D301}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457273Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:59.412{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457272Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:59.412{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457271Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:59.412{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457270Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:59.412{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457269Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:59.412{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0E43-60E3-B70B-00000000D301}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457268Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:59.412{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E43-60E3-B70B-00000000D301}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457267Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:50:59.412{D694AEB8-0E43-60E3-B70B-00000000D301}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:00.926{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605F44623765C9A0AC54586D714ABC5C,SHA256=C654196B4716AC24785FD212E7B83A8F9A0009F8BB426464DA7C7272FD3A0670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:00.668{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28D8DDB1AD5EB6F30C8423859EE58CC,SHA256=37D380A8DB75EB1A2B477C507519116DA1599BB75AB61C2A6D36A221CBC1E5F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:00.242{D694AEB8-0E44-60E3-B80B-00000000D301}71443680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:00.079{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E44-60E3-B80B-00000000D301}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:00.079{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:00.079{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:00.079{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457281Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:00.079{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457280Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:00.079{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0E44-60E3-B80B-00000000D301}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457279Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:00.079{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E44-60E3-B80B-00000000D301}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457278Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:00.081{D694AEB8-0E44-60E3-B80B-00000000D301}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:01.943{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11CF66B54AF16B125A29CC48931208E,SHA256=6692E4A3CC57D20C35F7AD1A40CE3732470E4E4AC7074B4EC4971A368B741C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:01.840{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7565CA141B5CE67CB482CEB61EF6F25,SHA256=E86955FB45744942651F242E4E3A75B1B9849654F7347748B202B1045D591C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:01.094{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0450FCD03B8A6F8D200DC18CF6AD758A,SHA256=AAE43A8A164D8CC9100B3175DA0E8981590711CEEF70837DAE799C8B5BF2795C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:50:59.388{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54173-false10.0.1.12-8000- 23542300x80000000000000001457299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:02.961{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5576567D13375276B9C354E54D51E171,SHA256=A94C11694CDB67C5A31E1750B306D8CAA27DFB238DA8379707E2DD6F2DAD9C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:02.840{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE29AC7D09E647403B1EC674786652A7,SHA256=0D6F08BED2AD25F02CFD016AD476FECDE2DF98D678BD2173B48B8859C69B2484,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:02.677{D694AEB8-0E46-60E3-B90B-00000000D301}54046504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:02.524{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E46-60E3-B90B-00000000D301}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:02.524{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:02.524{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:02.524{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:02.524{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:02.524{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0E46-60E3-B90B-00000000D301}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:02.524{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E46-60E3-B90B-00000000D301}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:02.525{D694AEB8-0E46-60E3-B90B-00000000D301}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:03.840{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6726F4F5C1D93D9FA84C5A46E765D666,SHA256=7B33B0F3CF4B0E08D449A7FB675311F47A2A47C6183A2BAB12805A4550D9760C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.976{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040EF3D89F4C2EFC9AB53A78914BF23E,SHA256=188B7EA316D1B991428617B8993AEF3BC0D83747C7462B0B61732670D18AF74E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.707{D694AEB8-0E47-60E3-BB0B-00000000D301}69601956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.560{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E47-60E3-BB0B-00000000D301}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.560{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.560{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.560{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.560{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.560{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0E47-60E3-BB0B-00000000D301}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.560{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E47-60E3-BB0B-00000000D301}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.561{D694AEB8-0E47-60E3-BB0B-00000000D301}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.543{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A855A08868314B4DB67A7E9CCD573F47,SHA256=A2F237D600F191E42F30268054A38E368F12D897F324D62641B6B4E7E5B2BB22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.176{D694AEB8-0E47-60E3-BA0B-00000000D301}58846112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.023{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E47-60E3-BA0B-00000000D301}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.023{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.023{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.023{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.023{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.023{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0E47-60E3-BA0B-00000000D301}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.023{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E47-60E3-BA0B-00000000D301}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.024{D694AEB8-0E47-60E3-BA0B-00000000D301}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:04.855{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B3D744A6B9B8DA13ACD6BDDE513EAE,SHA256=FF13C921EEACB39366AE145333C4CC0A9039B44BC2EE634B2D551975D7AF87ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:04.990{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F8A396A11CE420002C361F35B3270A,SHA256=AD8DA499DE78D9482718DE7289CBC64606CBB8AA52C84CC1B4A68F5F2EB5E8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:04.575{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7340525DE477D337EA3EFEC083330076,SHA256=8498AAB7E4078341110BBC718756914D19F91EF7A847A21A9FD256FD0D1AFB82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:04.175{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E48-60E3-BC0B-00000000D301}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:04.175{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:04.175{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:04.175{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:04.175{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:04.175{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0E48-60E3-BC0B-00000000D301}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:04.175{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E48-60E3-BC0B-00000000D301}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:04.177{D694AEB8-0E48-60E3-BC0B-00000000D301}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001457320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:01.671{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000402262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:05.855{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3D42C58285B5B3B9BA6CE6096EDAE1,SHA256=B755EF8CC6971F3B5EE15878DB22F404283FC6AA4ABF9433D66D3E8EAA446F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:06.855{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7733FE0E0EA3EF49C7D3E3856B786A16,SHA256=8D363DB0CA3143A2826BE8749842090A2489266606A31619B032A4148EAA7575,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.538{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61217-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001457332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:03.538{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61217-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001457331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:06.020{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C3DB623DFD0F31314BA6BA9F5E50A4,SHA256=239996E1FD999F4EB85DAB52F58923FA997599DB72BB9851B3EAE8B27681F048,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:05.372{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54174-false10.0.1.12-8000- 23542300x80000000000000001457334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:07.038{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C772891536DDF3C696B65BFCEB4737,SHA256=7BB1882CB328F3C3C274CFB25804ECB1576685DEF8B444FBD552D59E53CF19ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:08.042{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD89D3E33B3FC9B97D5EC82B6FA337D2,SHA256=E2C62B25FAC67FECDD1F88C982BA64816E8A682ED849CC967C2FE152FF85BBA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:08.043{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89898755A10802D645FF182CD653F37,SHA256=D0469C7664240646BCFB64DBE77B441CD7A35548B7B174DF92B7044C07C93AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:09.058{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA51FC4015516A2EEE3F049E01C4EFA3,SHA256=79307C5827D2B53D212A954225797A714EF90495DE07A0178D990EA45F9E032E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:09.077{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE89FB46B4D57D08EB6CAAED50250DD,SHA256=9361E8FA18F8CC0A881A514E4841B727E3673342AEB48CD77FE81ACE42863CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:10.074{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4FA43118EB8958B83295F2A4512CF6,SHA256=9B909462760DDC1F8C7225B4097E6FB812CF5BDD58AC55353A8956D2043E1314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:10.107{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8976CAA422D0196C9788D63A0B562F,SHA256=6BC24187FBC1ED4B8E6B9D6E315C038926B92FBDC1006C61F3616070CEFF4321,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:07.671{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:11.121{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B683B5E1BEF161F0111052518C376E0,SHA256=D84A92050FAD1D9BF71876B285866F1977E770A6606874B2D3C3EE75D5BAD692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:11.074{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF03C4B397FC7FB3FD77955939ADD49,SHA256=1D57FCBB56A7A41842F4B4E7BE343FF772FCF3E92813A1A52F92693F66BF25EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:12.138{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8102BB7C7C16F2955D9882142C6C7BBE,SHA256=BF23F6F96BE8EE2CA422B5D126F117C38FE71ECAE35FF6A570500B6AC6463061,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:11.341{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54175-false10.0.1.12-8000- 23542300x8000000000000000402269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:12.090{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BA7D48A7143FF60F09E2C4CA7E9886,SHA256=92A22A0893169F5C39E33875B9D3F066753F9238DF9E1EEA2EC3DEFE1E494498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:13.173{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1AB39CFB8C25CB4755E638D4D606593,SHA256=14DD254AD26B1F7FF13D9FD47EF1EE1A983EAAA52F20EAA8249D174363A91E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:13.105{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F695D96801238DFA2884510229D7C6F0,SHA256=AC1B42A78D785EDF205BA5A334105DCA941A2E888C06083B448B1EB830A7553B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:14.105{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47B65AD1AA844C048717CEDAA57F103,SHA256=2F5CCE82F153656A4310669124EAC3C598E9C67382297ACB19437EB811209F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:14.202{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927FC274A8B25A68717F9D45F4F41141,SHA256=69A38EB9DF977D8401BBC4CE5FC047FDB6074795195FE6D7416FE971120B31B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:15.217{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59695808262F0D31D23F43ED98B1B116,SHA256=5ADA6A172D8F62855D4D0F2C67B77FE11B9315CB7B602E10265DC275BF18EB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:15.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B64CD765114AF0EAB49C358E1BDF119,SHA256=D1D5C9662E24C270AD770C8558FB1D33EE0782504AC8A3CD3B03F680B7A7B49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:16.256{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C1FF65A8CE8B54A9E2AD785B74C153,SHA256=7854667C4912E0F03055CBC0453B093F2E19EDA232A061364E637FFF8E949851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:16.152{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE6C33E1EAAD56F9E705566DA75C433,SHA256=CC786995F26FFA55A31206E2D807F63FCA3FFD7A46EE7EC74510E05C6264E75D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:13.702{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:17.270{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35888BE12A1A2C9C103498635691B529,SHA256=519AFE63C0B56D03663B0251DD3E06F667B669E50703A54B5633CEC48C7C6845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:17.199{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D680CB19FA7E40DA14FE85ACD1A917F,SHA256=ABE02EE3F429A611F7C53CE6AF8EF8A541DEB2E388E81F2664602D3BD94F031C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:18.199{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE722EF30E33C233E4A5F48CBE9F3BB0,SHA256=96C05F2663F47D0917ACAD1DF4112A119C00B2A8812318EDD191DB3982B6A8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:18.300{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B342326D5C9F7B0065D9407449A2748,SHA256=54F5FAE507C367E18D03CB2F81A2B6970DFB7D7380FEB7CEA167C61C98C6A4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:19.199{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FC8376BB06A8BBF0F19ABD6E60F081,SHA256=A32C338741568E94CD1F78BE168C4853E73C060FD8FBDCEB5F689E8257DFD123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:19.315{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8116F5138CCECB82C83068D0D17ED699,SHA256=6ECC6846B96601451BCBAFA453E1F9998F198E3FB92BC57C899A56C6348922AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:17.341{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54176-false10.0.1.12-8000- 23542300x80000000000000001457349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:20.331{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56781C2E7472987A2F97D4E81292705F,SHA256=EC76FE1637F6AFF92A0BDAB9B3580F915B164479FAD2A2D5B5A43570E310D884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:20.230{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114714EAD9E66557CF05FDCE5DD848EF,SHA256=05F88996CC44057A5DEC1D7EA3BDE342A42025517FD3D9059FDE2C5A5248D11F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:19.476{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:21.365{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE367E6EEBE45C7B0C1D7E80E2061A1,SHA256=9A56E3C78DA317A59A679DF5F4B6BA74644971EC62F4A835F10CA08FA7078126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:21.324{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FEAFE9BAC752B2A3C99C68BC38B84B,SHA256=51C13044D84BE169CDFC3000CB96167E9D0F9926FF5F1922A809D45B092276F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:22.402{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850EC6C802C9D4CE5C359105082FEB60,SHA256=66789785050957B6FE82FBDFE787E91A78904954DDFA7C9042D2C7BA9B5A16D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:22.894{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=757FF8D04B2A98861E94DE443EB1C8C0,SHA256=5C8F3C5353AF55828EF236CE78B6EBB1B699F9A672A354231C1922F3361C0D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:22.894{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29401C6D54D13299F2F1EA828EFACD49,SHA256=2CB70E2B052413AEF2378433FC9027623FAAB0F926CC5442326A0F640624FD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:22.395{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFB089232EE2A51914918B700347C3C,SHA256=B57ED099CD860C5ECCE47C235A6D938CD6E36DC353A03DF5EA64AB2D13A0DFE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:21.995{D694AEB8-B3E8-60E2-0B00-00000000D301}6566904C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000402282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:23.402{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04977A4E6A7D01EDF01A0097D9B8B29C,SHA256=27A9F4F3CCA2F139F70647D0346DCB3C85DF8449A435FDF5BCD956F1E3BEE45B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:21.336{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local61222-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001457359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:21.336{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61222-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001457358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:21.330{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61221-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001457357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:21.329{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61221-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 23542300x80000000000000001457356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:23.428{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3482BBD69CB2EF9E19875466E923F9DB,SHA256=5D916801D7A3CBB03964ED6135F59FFA0233C459A7186C7CAB87866328099D63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:23.279{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54177-false10.0.1.12-8000- 23542300x8000000000000000402283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:24.402{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E41283C0EA77591DC621CEC72B4E6A5F,SHA256=D3C056985F9BD43101D3E5B1E75BD02D9B1EDBFFDFD6E1946F047F79A4F83DB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.776{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001457363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:21.445{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61223-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001457362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:21.445{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61223-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 23542300x80000000000000001457361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.461{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC45107BC42E81C369945411680C587,SHA256=2AB58BB7A353E036751E201BC761647C5909E4CCBDF08E0ED1B85DCA1D2F5A51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:25.775{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0978E7DF7DA4C93172B3E0D1127C31,SHA256=76F5420461CA3F7E0D17213C76E7B24F7CE9D5EA032BDFB7311466857B05635B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:25.402{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5511284F2A351BBE73BB1EE315ACDA86,SHA256=1A5C81D79AD1B882A91E1F491E7081D6B9B3B6AE006E1E00436D061F4019BEFE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001457395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:51:25.076{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001457394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:51:25.076{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001457393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:51:25.076{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 23542300x80000000000000001457404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:26.826{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678201583A09D2D40D10831C5BF3A533,SHA256=F25A70242056E8401FE684A9E5C3607F3911DFB9C08FECEDD8DA562DE59ED166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:26.418{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F0347F4138AF407F0067D853C766886D,SHA256=0418CD2497B3922D263857EDE1474DF778335B2D75DDE445F661EFAE9CFA388E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:26.402{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F21DDC5C5668033488D67F75BCEEC9F,SHA256=782BF26F848B49F538A077FF123ACD106A2FFE315D7FE0AF2F2A350C84C6BD35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.542{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61226-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001457402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.542{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61226-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001457401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.537{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61225-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001457400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.537{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61225-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001457399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.524{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61224-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001457398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:24.524{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61224-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001457397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:26.106{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=757FF8D04B2A98861E94DE443EB1C8C0,SHA256=5C8F3C5353AF55828EF236CE78B6EBB1B699F9A672A354231C1922F3361C0D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:27.873{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91EB81A1121759AD88DA3EC157A9736,SHA256=DA741816035FC033944BFD80530EEC5F393E4E2563B2DB080D62AD0F8D51008A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:27.402{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307B03B609E7E277472C8E461C9EF1DF,SHA256=F9B79EC00677C387194D216EC2E993B6AA3FA014778D87C0DC5540FB0031883E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:25.472{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:28.887{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DCE998F05777027A624789BB3A4FFB8,SHA256=2A6CF6B48B9921E2400B7599A7EB42E9D8D28C6DB143D6711404F24EAAC9E74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:28.543{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEA03863835E5EBEA7D4462ADBFC7D8,SHA256=DCD98A1318DDB4E10B20553B72952EA0EEE2C2EBA39CD2DF063E2129850F9020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:29.902{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F49757CA89654FE19945092A8B235C,SHA256=559D9EA65F3AF4B5E56676342C256913E58F3A2E715AB882E80A2FFC8C8E1433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:29.715{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0AC1FD043E17DE60CCF9B32218828A,SHA256=22F8E2CFB54BEF3CD3560ED3FDD15C471040A8909877E9F22169FEF8984203D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:30.919{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291CCA192E03021F05E5266281D6843A,SHA256=2E11EDB2B9D6A5A88AB713A609CE37FD9DCA7F9C51E2B6FE9BCC2C9BE69FD088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:30.715{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1A8F19A85BECC63671CDE9A43E0B89,SHA256=C76C9DFF1E61ABBE4917B8BB7C0BAFF78C17A169F5B62B5BA244276FB6BF81C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:28.295{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54178-false10.0.1.12-8000- 23542300x80000000000000001457411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:31.952{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62910FAA914D5A6B3DB69CC4456FF861,SHA256=4119F79848EC1E431C493B99F45324B6A4B4B411DB12D9B4097D167D7E6FA779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:31.715{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0FC4BEDF321C0128A68B1A8E3D8ECC9,SHA256=1974542FA62AB11F5FE1751D4034C7308BC47C2FC0532CA0D0E79FA3FDB2ACBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:31.000{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:31.621{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:32.715{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEFEAAEBBBFE52EF9E87C13525453F9,SHA256=0FA3BA2149A867F13891D8B9D05DEDBACA994341154AC286D84438FB1D15DBD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:32.967{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303C5FAB678484FA75AE097B15A0F0A9,SHA256=869980E6B14BF170A2F820F09FA52440F4766479938E46DDD4800880DB927124,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:30.432{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000402297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:32.277{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71C260D7BD61BD5C16A2DD47E705F38B,SHA256=1CEA8178E60F984E702A9230197516FF4C5A3D116624AB3D87FAE768E6F71C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:32.277{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B965714BC1061339AA81EABC27111FA,SHA256=820661A23BD77E4129E23B523D875B7043858F0658CD00A9188858E863A7C396,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:30.625{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-58628-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001457417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:33.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F80C0C61EF5784B0616C072E5ADC3A,SHA256=D42D915FE3B6FF6B828C3684CB887D23FE5A9FE406D05BCAB97F895587C93477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:33.730{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=664FF3A183F993699C7826ABFC8F2981,SHA256=E9C489AF704B934E6259C6EB220A913DDE3C9883ECCE3BC9247C8EBE9AFCA5F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:31.499{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:33.781{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E250D87242C84534FEDBDA198A171F5,SHA256=D325DA50F0481E639264FC1355331C1EFF0D471AD1F3D2EA741FFE355C5DBA10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:33.781{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11607CBEED9189FE54A335A0A61234DB,SHA256=AE6A287C28DB5F3804EF04889962A96EEB487DA7F34A17EA90EF5443BCDD3843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:34.996{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE2CFF34EE82FBF6EB683297D1C616C,SHA256=FFB959524EFC048CBEF2808AA6741039A2FAF5033813BDF1FA7AC1DC81727AE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402315Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.840{7F1C7D0B-0E66-60E3-250B-00000000D401}18042008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000402314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.746{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA8FB8AE1A8E0E93D46DFFD915AAA73,SHA256=578B58569B5257D1CD0B48A4EF0A80F7FC44B2D6CB0D07B4EE92554B2482F5A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:34.150{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=80926BFDC40112BB51B722D740DCDE84,SHA256=64C2E2B7BF58CC29ACAED9AA29367857DA1518422B29210A13A1B74CB4043EBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.574{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E66-60E3-250B-00000000D401}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.574{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0E66-60E3-250B-00000000D401}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.574{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E66-60E3-250B-00000000D401}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:34.575{7F1C7D0B-0E66-60E3-250B-00000000D401}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000402300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:31.826{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54179-false10.0.1.12-8089- 23542300x8000000000000000402344Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.886{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3087644D9AE70C4D6C31B3563D2EBAB9,SHA256=A706401F886169DAB213A02D083BFED48C1DAAC0181E443CEC6581B6F42D8FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402343Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.761{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71C260D7BD61BD5C16A2DD47E705F38B,SHA256=1CEA8178E60F984E702A9230197516FF4C5A3D116624AB3D87FAE768E6F71C19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402342Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.746{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E67-60E3-270B-00000000D401}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402341Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402340Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402339Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402338Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402337Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402336Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402335Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402334Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.746{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.746{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0E67-60E3-270B-00000000D401}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.746{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E67-60E3-270B-00000000D401}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.746{7F1C7D0B-0E67-60E3-270B-00000000D401}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000402329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:33.310{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54180-false10.0.1.12-8000- 10341000x8000000000000000402328Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.074{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E67-60E3-260B-00000000D401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402327Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402326Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402325Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402324Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402323Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402322Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402321Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402320Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402319Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.074{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0E67-60E3-260B-00000000D401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.074{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E67-60E3-260B-00000000D401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:35.075{7F1C7D0B-0E67-60E3-260B-00000000D401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402345Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:36.980{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A1478350C8C5AE09BACF2178F39059,SHA256=FC839A52A254B02B8E55E3C28F7D548F102535F7DA1D9D197D2D4CDB02AF8C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:36.013{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B14DE7BE57569AA0CF493421CC9CD28,SHA256=D4467A706F1C35758AC6C28EBBD9542E54CDEE1E648801398B6B9377A899C1D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402346Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:37.980{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6673664DB172EAFE7A6B0697324979,SHA256=3E6576AF421FA695CECFEFBFDE0CD762FEA39141E009948D9A8B9CF5EDFBEBB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:37.032{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E78D83F9D0340E53F6067CEF909797,SHA256=083C38EFFCD3D5DE6DBC858EDA8613BC80DEA0A85CCEDDE8AAE5A8B5614A0E11,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:36.509{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:38.046{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6B32A2DCCCC9E9EF679ED3B903D690,SHA256=9BE7A06EEBDC1CF0395FEC2B5B27B05D69DEE3F995C8436AC278CE6A6DF8ED2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402375Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.933{7F1C7D0B-0E6B-60E3-290B-00000000D401}33883140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402374Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.730{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E6B-60E3-290B-00000000D401}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402373Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402372Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402371Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402370Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402369Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402368Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402367Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402366Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402365Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402364Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.730{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0E6B-60E3-290B-00000000D401}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402363Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.730{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E6B-60E3-290B-00000000D401}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402362Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.734{7F1C7D0B-0E6B-60E3-290B-00000000D401}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000402361Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.465{7F1C7D0B-0E6B-60E3-280B-00000000D401}24683748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402360Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.230{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E6B-60E3-280B-00000000D401}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402359Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402358Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402357Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402356Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402355Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402354Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402353Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402352Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402351Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402350Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.230{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0E6B-60E3-280B-00000000D401}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402349Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.230{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E6B-60E3-280B-00000000D401}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402348Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.231{7F1C7D0B-0E6B-60E3-280B-00000000D401}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402347Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.152{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0CD3440A29B343CBF6EB501DBDC6658,SHA256=C2DBEA833C2BD9EF3BD37F0DF763CDC9A82B212C3872ACA813B44D1A131C16E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:39.076{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6850A6E35A3D1152DE52E3F07327444A,SHA256=8D09C7666FD065C9D7F9CAE3AD86B5BA621FE77808C9F591EC08192539EB526F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402392Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.558{7F1C7D0B-0E6C-60E3-2A0B-00000000D401}6683960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000402391Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.449{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09060509348E0B7B15CA16124E37E4F,SHA256=93B8B96572D00C142DBB7531B8CBE35D2D4F53A531909A86AFCAD7DF4EF76BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402390Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.449{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACA373485F8C5F2C279DE8621ACD8AA2,SHA256=EF5970B65AF5ABA3CAA02D25B96D22E424C26B8EC66787965ED2317A5FC7BB15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402389Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.402{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E6C-60E3-2A0B-00000000D401}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402388Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402387Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402386Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402385Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402384Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402383Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402382Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.402{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0E6C-60E3-2A0B-00000000D401}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402381Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402380Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402379Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402378Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.402{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E6C-60E3-2A0B-00000000D401}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402377Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:40.403{7F1C7D0B-0E6C-60E3-2A0B-00000000D401}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000402376Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:39.311{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54181-false10.0.1.12-8000- 23542300x80000000000000001457425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:40.090{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22EA0BCFD27B48EFDB82FF00B6606B7,SHA256=39FA68D4E0A11394BD92AC33CB71A30A134E426F10468863FA5A19F69CFA5749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402407Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D38E9935B2613831DE0C4A30A1B446D,SHA256=1011C3584574C7589559872C48AF1D4C8A452E52A9CED0732CBBD480A7DED178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402406Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E29805A4BFEA4A8A67B949AB8B3B1FF8,SHA256=EF910EE202D76289C96E2448E1652E2507A80C6C31FE64E3780DBB5ACCBDC674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:41.108{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210A8EE03142296248247E65F6D44937,SHA256=8568797D672336D3BEF81BDCC32AEF619300808DD1152502252EE3E2C97B0B69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402405Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.074{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0E6D-60E3-2B0B-00000000D401}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402404Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402403Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402402Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402401Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402400Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402399Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402398Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402397Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402396Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402395Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.074{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0E6D-60E3-2B0B-00000000D401}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402394Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.074{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0E6D-60E3-2B0B-00000000D401}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402393Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:41.075{7F1C7D0B-0E6D-60E3-2B0B-00000000D401}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402408Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:42.590{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2BC8AC2C89CF870B09554E4C1CE3BE,SHA256=78FA70F9B80E7E304D3F869837A6931D19F406A072CD7577BE573586820172B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:42.172{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF1D92D8612F866B0B5B1B2E4673595,SHA256=AA71F29D5AE5438B439066E1CDBA3E09A596120C6102D39795AF07CA60C93BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402409Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:43.590{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC3422B25EDFCC3C0248811DC58D766,SHA256=F87E5BEE024FB3C5C51CC9980B1D19B69BCC8C45EF082497A447CD0463B322F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:43.205{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AF642648EF63114B4611C9D1DD8505,SHA256=C6E11B748A5CA20D1A587C9527CFA20970B30ACF209CEA82A429FD377D031438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402410Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:44.761{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53872622FE400292EE1D84851811167D,SHA256=04518F15F1E7CEF618B41BB4B52AED3EBAC8AEC6D55AC7BB1A91F96A652CE840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:44.223{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD84C628BD58621FA6E52A95C169132,SHA256=EFD3F2834311A91974EE31C42BB655AEC3F341D8703C19E195A48DDE74C2AF69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402411Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:45.793{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2C4F1BB8BC01B8DC4610C44DB960FD,SHA256=D4A98F25FAA57C237838579AEB1014F9C3652D10D4D39CBDCEDC8A49FBF6E71C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:45.238{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F21335FBCF12700FC5BB8B868063803,SHA256=AFEBD75DFC00FB3E3BBA04ED52576F64D377459148ACABF67A76104922EBA493,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:42.533{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000402413Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:45.342{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54182-false10.0.1.12-8000- 23542300x8000000000000000402412Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:46.793{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13878F06505D7EAA169B227ADB6F36F,SHA256=A46BB903DD0C3769D3099246C12F6401E0F31D9F7833BAE98AAE8362C939E3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:46.268{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AEDEB27A4E3791424ACE00267A8C1D2,SHA256=D1627F0A12624A47678393C06174132A09F0718B5049344C1899DA653631B38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402414Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:47.840{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF4BD455A247BA9D266EC9E43F47F72,SHA256=347081387D2ED544BEA9F8A68DBCF62B23D63F72F8FD9FEB5DFF03862FA29FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:47.300{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4279D6C544633AA058486B70D99F53,SHA256=6C51FDF9EE2131665874F110F933804243B3DAF35FFD5AB6F58A40631E59719B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402415Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:48.886{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B66AD485A776CBAAF1D5252A9227B0,SHA256=21BF186E4920000404B65F1D65EC677274E7F0F97D8E83A651B611CC8026C115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:48.334{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521885ED2C8E1C7C8CA36C2AB9CB1208,SHA256=D85F12B380197B18487F36B348507E62AB1BB6376900DC421AA4F73ED4B39093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402416Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:49.996{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA432BCB6C62D8265D779C1161FCE4DE,SHA256=FE6D445AB1CD754EC7DFD9D876BCB8F1AEDEC2F52FE9667966F6A0EC3D510C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:49.349{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D311BD152C063430CECDE4CFBF1206A,SHA256=0860B5D437E9B63D43B0507B14582860AEC4A9FB411F424ED2ED2225433CA573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:50.400{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1E9979374B9D9281BAA17E470480523,SHA256=2F48F515401A31C858EE7D103951E65EEC78932BED9FF53AAAC500AD6D1A3A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:50.399{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E250D87242C84534FEDBDA198A171F5,SHA256=D325DA50F0481E639264FC1355331C1EFF0D471AD1F3D2EA741FFE355C5DBA10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:50.363{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE78223C9418FD0B2A9A9841D9FE471,SHA256=609B17065E0B36DA4D3E7145C1419F49571B5106D8F3B32F457CD3B3BD996125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:51.365{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3384A3F297FE43E658A2194B5FC8ECA1,SHA256=33523C234D6EC0F95157D74EECD0C1824440ACD5BB497855316F1BF3D59DBBC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402417Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:51.061{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20FFB2CA46298403BDE3D9096F996657,SHA256=8B1C1CBFDC0A316AF5DC0AB09F5D7A198F23ABDD100C63F77550769764947A8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:48.612{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-54934-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 354300x80000000000000001457439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:48.543{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:52.365{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D18AAC24DF17E09C62A64A78E0A486D,SHA256=BB6424AB2B86443ABA59FEF515B8E534E694B37DA9E888FA948E648885AAE627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402418Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:52.073{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4BD06C2CEB938306D0D438E2495FE6,SHA256=0C557F019D763F9513C01F98A86E9F2FF216EE31C738625D383ADEE6DBEEB2A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:53.397{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B5A85BEA319AB5F4006D6512D1C95B,SHA256=8814D399FADC4F07E626D95E819F1CFB623522222E46312287C9324D638C236F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402420Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:51.328{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54183-false10.0.1.12-8000- 23542300x8000000000000000402419Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:53.074{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D49673C77892AB5FA153EE7F53D04D,SHA256=3AD2440F13BD47D057182C2EE18D17971254DD9DF84F82FDC476338331E02350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:54.432{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5274E671425679853FD140A4A0D5E88,SHA256=70A765D3255D6A18D176316DB883BD78F118635886E222AFC70EBDD5D9D5F9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402421Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:54.121{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8889DCC1EEAB2CCABA2008C062C5A85,SHA256=97976177C02917774172A43251D54D38EE17A6A15091FF1FCE706A37300C7E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:55.446{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61F7DF999FC986D763FC8BDAA68A3AE,SHA256=2C587A93193D6E57A3953FBCE97F18151CBCC95D8D7B4FE90DABA9CFEC894A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402422Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:55.293{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7206F419DC1180C9D263B031F05020F,SHA256=BD2003B09A3E62D4E5F1E4E22DACD239AD28CCF0D14498650FD93BA7AE1D4BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:56.461{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EF9799CC46144F0F000C4C32038DA6,SHA256=375E6A673CEC0928EDA50634FC7AD167AEEA0059BEC0F00CDE47D53CB3ED509F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402423Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:56.355{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2D2E5532F04C62E25483CBF3845777,SHA256=DFC89A7A44FB2A243B70C00E45EF6D6BC602A4CDDDA575863F743E6836FD6BD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:53.563{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:57.493{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75101A526F3091B3351692E36C7B3089,SHA256=37C8F6393BCCE69D51BFA2ECA14D3C08B5EF397F0BB2A6B506EEF4D250FDC626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402424Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:57.355{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9EEABD7324C66ED705FFA70476BC1E4,SHA256=1B1239AFD892549B16A65070BE423FD50FD2384815EF6C2FFA027F05003B39AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:58.874{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E7E-60E3-BD0B-00000000D301}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:58.874{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:58.874{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:58.874{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:58.874{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:58.874{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0E7E-60E3-BD0B-00000000D301}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:58.874{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E7E-60E3-BD0B-00000000D301}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:58.875{D694AEB8-0E7E-60E3-BD0B-00000000D301}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:58.527{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3387D0FFBBC549F69D78A69CF2EB563B,SHA256=9459C4EC734AE12CF1C50E93949A7BF507896F071B5A3E5F3B1310F7524E3E98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402426Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:57.295{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54184-false10.0.1.12-8000- 23542300x8000000000000000402425Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:58.371{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088CE4E0878F80409308CC09E3DAB820,SHA256=01D539E8CAEA2441FF7DA8730D16FBC929FCB1C205810B9D241A9D00A3F250DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:59.892{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F88D4C8A6E918D58A232BBB23CE4658,SHA256=ECBFBA03F192D2C6730B77958023337D09B06109050FDCE76345F76D1A52F392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:59.891{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1E9979374B9D9281BAA17E470480523,SHA256=2F48F515401A31C858EE7D103951E65EEC78932BED9FF53AAAC500AD6D1A3A4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:59.695{D694AEB8-0E7F-60E3-BE0B-00000000D301}32446280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:59.557{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FF455151F47AE7774CE01FA2F91276,SHA256=F3D2FEDA595F7EB353754183C93F62A7C320396B604D07758F03BB69963E4773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:59.557{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E7F-60E3-BE0B-00000000D301}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:59.557{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:59.557{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:59.557{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:59.557{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:59.557{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0E7F-60E3-BE0B-00000000D301}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:59.557{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E7F-60E3-BE0B-00000000D301}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:59.558{D694AEB8-0E7F-60E3-BE0B-00000000D301}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402427Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:51:59.371{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74C57A82AD5AABC0F9D70850BBA6BD5,SHA256=CD34255818CD5E9C8384A2A5E40783296AD86DD7099B72723BDDB002E99C28CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:00.594{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301CCEF9F93EDAF82EBCA8F0BB59619F,SHA256=77EE27CE8E4C6FE0518E24BAAE867D45703798BAB4DE0D707CE951C5D9F52493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402428Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:00.371{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47658AE6C8F7F6F4A31B24D6D72FCE9,SHA256=95DDAB13573ECD8A88A67BABE85FD04D19DDDC70B0F4D48D6F9B1AF04C7CD279,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:00.242{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E80-60E3-BF0B-00000000D301}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:00.242{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:00.242{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:00.242{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:00.242{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:00.242{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0E80-60E3-BF0B-00000000D301}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:00.242{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E80-60E3-BF0B-00000000D301}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:00.242{D694AEB8-0E80-60E3-BF0B-00000000D301}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:01.609{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75D878B43084E43092184211B323A97,SHA256=4AED318D5AAD875656549A40C282EAA8A877D070AB01F1AB1BD96300F28D8DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402429Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:01.371{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD57AF882176C1D6B801335A7B18E1E,SHA256=917B6FDF7262C28BB2A06DCA53C73F7F3641FC058B8CDE3C8E4D33610525168C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:51:59.588{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:01.256{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F88D4C8A6E918D58A232BBB23CE4658,SHA256=ECBFBA03F192D2C6730B77958023337D09B06109050FDCE76345F76D1A52F392,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457491Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:02.670{D694AEB8-0E82-60E3-C00B-00000000D301}55606124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457490Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:02.623{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586F72F22A5521589854BA7B8C846365,SHA256=34EB8B22F1717980B4334E04DD6B285634D335542663A761C8D21230A716A593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402430Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:02.371{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17545198E2CB2D5B1B3A4A0797733A12,SHA256=F7FFFA9E671E6E5E69729D030925AF8EBC036BDCCFF4C572B6B40DD140F998D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457489Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:02.523{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E82-60E3-C00B-00000000D301}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457488Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:02.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457487Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:02.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457486Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:02.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457485Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:02.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457484Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:02.523{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0E82-60E3-C00B-00000000D301}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:02.523{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E82-60E3-C00B-00000000D301}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:02.524{D694AEB8-0E82-60E3-C00B-00000000D301}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001457510Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.890{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E83-60E3-C20B-00000000D301}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457509Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.888{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457508Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.888{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457507Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.887{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457506Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.887{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457505Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.887{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0E83-60E3-C20B-00000000D301}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457504Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.887{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E83-60E3-C20B-00000000D301}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457503Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.885{D694AEB8-0E83-60E3-C20B-00000000D301}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457502Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.638{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EA4850404A51B698A76AF5AFD8801A,SHA256=489E8D89DB0FF056499AC8EAC7F5D71C17D886D60A7C7BC3519ECA5AF03C3300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402431Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:03.371{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC56C731231321F46C5F4DB357F4947,SHA256=55390A565ABC5BB94B4B25D84B7A4C49A33923D3E054CA7B1CE0474E2F826B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457501Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.554{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81D603CB55F1631F446225E8631308E1,SHA256=D1A09D961B65D0C3AD6CF66423C4182445F8C9CF3AA03010DFE9FA8069D428DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457500Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.354{D694AEB8-0E83-60E3-C10B-00000000D301}66206476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457499Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.206{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E83-60E3-C10B-00000000D301}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457498Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.206{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457497Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.206{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457496Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.206{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457495Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.206{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457494Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.206{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0E83-60E3-C10B-00000000D301}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457493Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.206{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E83-60E3-C10B-00000000D301}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457492Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.207{D694AEB8-0E83-60E3-C10B-00000000D301}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457521Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:04.907{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05D56983D6504789E9E2DF9265442AB7,SHA256=5BD563E8DAE8C387712E2EE646085F795EB96FE255A4CB3749DF59273891AAF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457520Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:04.736{D694AEB8-0E84-60E3-C30B-00000000D301}62646608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457519Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:04.690{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CACB2B107E649CEE10B2C214EDBBAA9,SHA256=837649CB9A5DD272292912F14BADD3812220E138865E1A587C5477716B806ABE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402433Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:02.483{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54185-false10.0.1.12-8000- 23542300x8000000000000000402432Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:04.387{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D643FB5475FF13D9DDE2E098B5F879E,SHA256=18E206D40D8EF434C5439E92B2C061F1567BA8542B62F853A36080EF25881591,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457518Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:04.568{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0E84-60E3-C30B-00000000D301}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457517Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:04.568{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457516Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:04.568{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457515Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:04.568{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457514Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:04.568{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457513Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:04.568{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0E84-60E3-C30B-00000000D301}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457512Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:04.568{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0E84-60E3-C30B-00000000D301}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457511Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:04.569{D694AEB8-0E84-60E3-C30B-00000000D301}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457524Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:05.704{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A254A7E8FB32AA8E7C93330E61322E90,SHA256=6381E7E5C8F0BEF3FADF9D80DF261E4696676FA87AD6BAF3BEF25FDCFE4D9F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402434Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:05.402{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C9ACEDA0E491B068AED03469A0FE88,SHA256=DE8A1976C72AE5E09757486490DDEB86B22727771F8200303042ACC7639EA09C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457523Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.553{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61239-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001457522Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:03.553{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61239-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001457525Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:06.734{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C406F216680E93C46241E319B9815D,SHA256=6242E9755441A5166A46BAA0A004089D40320D4A53D0EB8882E787071B75865A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402435Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:06.418{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975BF8A25E6D3BBE3040D5B2F00FC49B,SHA256=AC2A7B52C33A463231D361226DC6B63365874B4A911A9394F647A1F2D1F37083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457526Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:07.782{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B375AC09D6C43B901B6B62FA58205CAD,SHA256=69B500A98FAF8C2899839B1337EA14235B1905E90F3A90D8234C48D94574A34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402436Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:07.418{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CD4D9EA542BFF84C3A70F023EF8DD8,SHA256=3B240D20004BF8E73933D90BAC3137A3AA5DEC7D70AA3A491EC18728FFFCBBBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457528Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:08.801{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C05D9380C73AD076736C4D2933A1F0,SHA256=E11E641B6FA9A60708C6CB667C3A7B4BEE0B54989839744E3E6A260BD33F7848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402437Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:08.434{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4C7BBDC0DD0C227E0500E530A46908,SHA256=3FE15664D8AE3E6C78AC2C11A25F0919127B9495683A24AE299F2E208D893FFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457527Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:05.628{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457529Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:09.816{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CD29D48E4F9EF18F5496705E3468E0,SHA256=614EE7DD5BBC29A40637AD6211108B1B95ABF33DA2CB95BDF53B839A6CD72556,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402439Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:08.467{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54186-false10.0.1.12-8000- 23542300x8000000000000000402438Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:09.449{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E8AE95318EF6BDD077178811DFD5FC,SHA256=EA1FC0C3F48A38545C455EE5F31D9528FE33AA799CDF7C35EC76E3CEFA7E5BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457530Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:10.830{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063586B38FB9419AD0656D8CE35185BA,SHA256=13C948F64B62303AD5107D8F8D006BE39B8776F05ABB568202E7211B4A18B67F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402440Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:10.449{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7923E3786DFFC7FC46A808F8C8F2D704,SHA256=BF84E78B355056C921ACA938DD32E9D7B351BE7604D96220FDA7CFCCBE16887A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457531Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:11.831{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B33946F716D81249CFB7B93C4859331,SHA256=11A42B0A9C945EB9BB4A2A478056E48E621852A4EACAD10EC3BDC8B36668511A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402441Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:11.465{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1634039AD1E82FB28E09F2078413D2FC,SHA256=C665E33BC3109738B3CFC59156D4532105E47C3879F3EEED6B05203D3D0F6776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457532Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:12.845{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644D61DE007186ECF9580912935878AE,SHA256=2F41AF022B0907BA31A3CAC14AEBD5F4F615C8A2E63574E161950E0173D08614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402442Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:12.496{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CBF0FC4E2509CD1D78048DE959968B,SHA256=95F879C4EC28F88A282DF9E8DDAFEF06E7C66111CEE71870F0616E9E736F0D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457533Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:13.859{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A1605C6B3C65BDE90592CACB9BF9D0,SHA256=04898E7FC18CB9D1C1985B1F2F35545B5D9A8F480B7F01ACD0890342390C9049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402443Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:13.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1744164A9FFEE67FAA528D512E6D10CB,SHA256=E4CADB310EA97BBADB8A6E28C43962525E5AD1A3A29A6B6DFC8C687EE3B28D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457536Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:14.877{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22B16EB3C018598A926AE33A53D354E,SHA256=1A542FD5F609CDA98D16B81F55D2900B87780DBA90FBDEC54BD3DB1F55DB15F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402444Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:14.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037016BFF289FB86AC84A2E5BFCFA7F1,SHA256=E0BEB2CC760C11186CB8E80E4B8911EA9E9EA44393BAE79ADC73E57016F759B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457535Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:11.645{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457534Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:14.627{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=498ED3B65FA054862314EEDBCEBE58A5,SHA256=1B05E607D589FBED03475BEF30E5C5BB9FC1CBE9B98316FA2D96235BEA813AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457537Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:15.942{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE72B407DC6121321DC46CE8FCE1995,SHA256=D0D2262B5EAEF83510D1C3008FA51090F8628741561FBD3A9E353E77FAEE2944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402445Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:15.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F704F6BCA3091A1D325312FFA79ABAA8,SHA256=F3A8909738A002C3AB7D3C1F3A2E385725E2AED07CE8D74AF696B1390D13D831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457538Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:16.956{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005166AB69BA0C5FED7EB844CB4DBC0E,SHA256=A7DEF086A5CD2910E876DA63894148F31A600AE7BD4CCE0BD18300460FDABAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402447Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:16.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D84994B4EFBB160174AD9B0FCEEB92,SHA256=463904441EEBA13D8CCD450E265B61F4FB4B434BF5DD16F381875DCB956ECCC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402446Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:14.452{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54187-false10.0.1.12-8000- 23542300x80000000000000001457539Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:17.973{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5965280C5CF240C1A7F5399876DFD0,SHA256=E0AF05FAA367A49520A07205812FB0AEBE85E609511871DA19F7EEB344E0AD3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402448Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:17.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716636755BB7FD2117FDA2576DA2DD55,SHA256=1CFDCB28DC9874315B33C13E06725EBDC58480B93BF32953D31E7A7B839965B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457540Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:18.991{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5C3F289410F7599E6FD9943E67353A,SHA256=04387873615DB2D550DF1007ACA0F384B31350F70B8A7363EAF4BA4B7405E5C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402449Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:18.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9711A30C9E7108572C2A6825630FA3,SHA256=398884AB9484A8AD08374FC4C01C34049F6412B447854A92FB75840EEAD46D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402450Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:19.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F80CD9ED79227B00DED824168C8E284,SHA256=FE7FD78FC7870B49076B2A2451CD62D366962C584D376C575E9839FF3EA09962,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457541Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:17.669{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000402451Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:20.590{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9F61BAF79BDEE66636DBF8F6E0F71B,SHA256=819BFBCD6AE783169C3484291530C87F61EF65593CA4FA6B355E3D567D99D6B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457542Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:20.021{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5F574A7DC18C3DF889C844C6D61F08,SHA256=8CDAC851FAC412EA72DCC825CF6D1C6849A9C72F64DBA3BC12B57F5E24EAE142,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402453Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:20.436{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54188-false10.0.1.12-8000- 23542300x8000000000000000402452Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:21.637{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A38A6C9CA0030B8A771913E2244A6A,SHA256=0BA4BFA78CB23DC51D41303AD3B836D978DA6AC6C2DC2BF6C7BCBCFFC9DEECD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457543Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:21.035{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C7C3897E02E83A6D8E5B90E8F29259,SHA256=6D0067B4E16495495B6B1088EBBDF2C354D7C15CBF1B2902D0309459F5C69A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402454Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:22.824{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D0D8280B3756B6DF2077F437DEF29D,SHA256=E5DFF1580324E7F5861E1BBB7A64619502078C97D313180CABAD436FE9FD57A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457544Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:22.050{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A815C42E7475431BB4BE4B1F70003F,SHA256=3AEC12C6AFC26B4ACFE31F061AD07CFFF746129B934A2C3B284FF89414455A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402455Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:23.824{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5C81164AB42253BA0945F581219A1C,SHA256=F7F383B1D33C75D123F09C9401A3B878EE277CAB7308472D01FE0844B1C05FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457545Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:23.066{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFC432A67229874BD03A3630138EFF6,SHA256=0C84298564094E7C4A34B15F946D249A68F3893B2DFC3C3AE415A109B9A4639A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402456Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:24.824{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92D9E48B5887A1876409FCC556E7C88,SHA256=3B2DD46DA54463990461C04FF80D7C17024190C66E7374BE90D06EDD3E8D70C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457546Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:24.084{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D54F9FE8766959116AD81C347801C56,SHA256=25EF2148EAEFAF2A1309CFA40E873F7BC1813A1EDDFF0647930A73634A7A1CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402457Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:25.824{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5E3820A43F93452964DA2E6CCEB827,SHA256=6D15BD5185C2EAA99047F29B517A673C7FDF1FED9056900DBEC9CFFEE62C0FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457547Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:25.115{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305F959F36034626E33C82CE45BF45FF,SHA256=4B8F48761A7B89DD2951652DB8DD11050D9C47D53764CEA13D9716693EEE0464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402459Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:26.824{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E010FAE107F7D6E1E9870B3266469D4,SHA256=653CAAF37B051F463C984C965512BC252475FFBDB86A72BF7CF50D5268055E88,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457549Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:23.662{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61243-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457548Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:26.129{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B5FC49F45EACFA3C0B7713E73F51D9,SHA256=9FD864A47A9BCC5ADE7B856D00AD4FD73E52A3086EDEECACD027C916B24B11BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402458Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:26.418{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9B6E92BBE9E5A310DE438F9F978BCFA3,SHA256=60E6511ABBD41674B4EFB728820A8B618D80BE17B5C6B68DE669E1AFDFB4060C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402461Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:27.824{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EBBC3F30547C5D0CD4B358FC68C2E1,SHA256=E1E1757C1960D5F43E7048ED3724F019FC440E1939F7C5612823EE7D2F005253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457550Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:27.143{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=989D1064729D75E7E20AB0836AD57C38,SHA256=F71C8D97523E4CEBDDD3C7E0389A6B5C6BDCF9B8CDF3C8779C42B60A8B137234,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402460Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:25.452{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54189-false10.0.1.12-8000- 23542300x8000000000000000402465Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:28.934{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2D9A1F6CC871B044A6C66AA7D13013,SHA256=530C58A5BC977B12E6AD0FB21EB65BBFCE2EF0E977E6F2BB1B7FC4B898C3A828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457551Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:28.163{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661122B92B7B9BEF12B2AF4AB6BF7335,SHA256=6FB4274269A480D2FA52C6B09BFC5EFCEA43F8AF685499924AB6238B46326179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402464Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:28.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402463Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:28.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402462Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:28.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000402466Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:29.980{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3398BB4B236CB910F6378A437366EA5C,SHA256=D9614C8300857F6C965D9C75A75D54E1B8E0C3F2D3DB5204F3D22A2FDDAB512B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457552Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:29.178{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC826AACC6BAE1506493D8F1FA0DD32,SHA256=FEEFB139C7D08122B76DC3AD07F8E9276AA9ED532963AB0EE86398D408B12E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402467Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:30.996{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9470E83F5B3156B4547BE30259F7EB21,SHA256=F41E648748E5FA782584489EAAB2EE2184ACF28407FB89FD8A44D29C06594027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457553Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:30.193{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE3FE9A7C8A4FBFF4C837FB36A48970,SHA256=D4876BA0B20BE5AC529F95B8572C8893C1C9C6C087C22FC485D981A2346A345A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402468Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:31.637{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457555Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:31.207{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333F9D0CE4BC54B210C50E5E6B902165,SHA256=9A5D4AF7246045E8A469C3F55819D9B4B9650709E29741413EBF547AA3513370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457554Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:31.022{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402472Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:30.684{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-59487-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000402471Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:32.090{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=972D82B239606325ED974B67D23F4A94,SHA256=D7AEC00534A6A37A69830A5D8C0E35E820AEC597B30C914F8B5A579E143C6BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402470Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:32.090{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2D90B8BD33FFF2A821FF51E14921286,SHA256=5ECE22CA0A9E419DF396AC30D880CDDD375DCCD42C5631C59ADC54A795160EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402469Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:32.059{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6BF63A5770B6C4766076087A44BE0CE,SHA256=27D1DE49A2C807EA0D32987CA659A80BE1FEF178F4EB74BCBFE92260831FD301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457557Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:32.221{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165030B39127F09E56FFCD5710F8677D,SHA256=F874172566AB4FD6AE75846D96ECCFA89BCF9CB0B71F411CA5415D312E43C574,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457556Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:29.702{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000402475Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:31.843{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54191-false10.0.1.12-8089- 354300x8000000000000000402474Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:31.452{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54190-false10.0.1.12-8000- 23542300x8000000000000000402473Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:33.074{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4A1D43F3D67A00A2536F63614A37B7,SHA256=7A990E642C6F07FA92547CCB715578222971B9DBA732BD5443229086E1C55551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457559Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:33.236{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E053B7314BDAA129FE9F75AEE901B3,SHA256=C8940B7A454B0E58268A4429C18A080C7A8547B21B59AB07BAE1FF413ACD4C74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457558Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:30.453{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001457561Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:34.253{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81B841B01E96129E73B9F6C84C607CF,SHA256=0E22F341E5C0D81D3F1A6A29A989DD7A74CB98A3B4728BE9FFFCC8BF65FD25C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402489Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.559{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EA2-60E3-2C0B-00000000D401}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402488Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.559{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402487Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.559{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402486Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.559{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402485Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.559{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402484Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.559{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402483Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.559{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402482Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.559{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402481Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.559{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402480Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.559{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402479Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.559{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0EA2-60E3-2C0B-00000000D401}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402478Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.559{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EA2-60E3-2C0B-00000000D401}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402477Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.560{7F1C7D0B-0EA2-60E3-2C0B-00000000D401}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402476Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:34.074{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BABD4DA6281EB0CA662775FD64FB30B4,SHA256=A0A066821F8FB9DD99A234EF2627DED3DA091FBAD1C0626B63D4C11AB348718F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457560Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:34.151{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DB379EF6907B616063D735570540BD8D,SHA256=E0C5FD72933CE6D4B5568E3A11FF33CAE8E26AF4752D7B228A3DF2D0EC936DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457562Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:35.270{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C69F1D6530C09068827AF216A845A23,SHA256=23B93ABD49819D5D34F77AC9E1D72128140CF152FA28E3DD0F5BD4CA83C36466,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402518Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.762{7F1C7D0B-0EA3-60E3-2E0B-00000000D401}23041516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000402517Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.590{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=972D82B239606325ED974B67D23F4A94,SHA256=D7AEC00534A6A37A69830A5D8C0E35E820AEC597B30C914F8B5A579E143C6BE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402516Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.574{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EA3-60E3-2E0B-00000000D401}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402515Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402514Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402513Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402512Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402511Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402510Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402509Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402508Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402507Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.574{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402506Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.574{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0EA3-60E3-2E0B-00000000D401}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402505Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.574{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EA3-60E3-2E0B-00000000D401}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402504Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.575{7F1C7D0B-0EA3-60E3-2E0B-00000000D401}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402503Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.199{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29677E37EE90575322A3818C1B156B7,SHA256=9F1B8D432AF3E15BF6F06E2F28425A09CC89458B92D9D111F548AAFE3C884A64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402502Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.074{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EA3-60E3-2D0B-00000000D401}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402501Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402500Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402499Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402498Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402497Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402496Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402495Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402494Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402493Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.074{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402492Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.074{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0EA3-60E3-2D0B-00000000D401}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402491Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.074{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EA3-60E3-2D0B-00000000D401}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402490Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:35.076{7F1C7D0B-0EA3-60E3-2D0B-00000000D401}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402519Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:36.418{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF36A211C2E482F7F7C10FC66E16AB57,SHA256=A921955999318E299906B6C90AC01D206F16AE01E04699394EAB1AF53EC66AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457563Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:36.300{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6061D88BF15F4A84135792FD3463B718,SHA256=F27EBA42D737E570FB8FD48FBE9513476A85A05E27E0E60F663B6DEE10A4AD78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402520Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:37.434{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDECEE4E9B110CB700339C6BF44D533,SHA256=E7621533AD4855E78057DDB56C716FCB7575E96424FBBAB125E3FED148327F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457565Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:37.330{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982C107762C991C21A3A3A73478F2D15,SHA256=556D6AAA611337AA038EBEAD4C858CB9F8E1B3910C52865A468F18E9E977FD51,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457564Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:35.447{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000402522Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:37.405{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54192-false10.0.1.12-8000- 23542300x8000000000000000402521Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:38.527{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C6036C2130CB6260A2B3C9F3B53C90,SHA256=FF60FA648DAC975E698EE8B962B678C3953EEDF497C99FB7280AEACD9F910C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457566Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:38.349{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A385D275BA71E9E3441BEDC062634B7,SHA256=3BA147DA9FD22E4C4DA3E1AF4E786881A6683E7FB616DA0D3998DA8B2059F82A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457567Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:39.350{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379D650632559AB84BBD7DDD430A0A07,SHA256=783D63A6F3C9ED19418C75DFA0B406D7AC4FFD5ABC01DC722EF16A00927D8080,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402551Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.918{7F1C7D0B-0EA7-60E3-300B-00000000D401}4048748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402550Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.730{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EA7-60E3-300B-00000000D401}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402549Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402548Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402547Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402546Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402545Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402544Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402543Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402542Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402541Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.730{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0EA7-60E3-300B-00000000D401}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402540Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402539Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.730{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EA7-60E3-300B-00000000D401}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402538Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.731{7F1C7D0B-0EA7-60E3-300B-00000000D401}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402537Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.590{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D94ABBAD5817381CD80F80455081792,SHA256=C8E9B9762609F8B597206A76F078A5A440DA7765A3F2A7AFFE4FDD771860428A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402536Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.528{7F1C7D0B-0EA7-60E3-2F0B-00000000D401}18123332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402535Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.230{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EA7-60E3-2F0B-00000000D401}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402534Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402533Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402532Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402531Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402530Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402529Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402528Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402527Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402526Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402525Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.230{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0EA7-60E3-2F0B-00000000D401}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402524Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.230{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EA7-60E3-2F0B-00000000D401}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402523Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:39.231{7F1C7D0B-0EA7-60E3-2F0B-00000000D401}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457568Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:40.364{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90105D7CEBDA500198B23077BEC4844C,SHA256=0E8FA45F659AA4A5E9C840FD6B033EBA653DF164A592990F7F8234AFE0D4A62F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402579Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.903{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EA8-60E3-320B-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402578Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.903{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402577Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.903{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402576Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.903{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402575Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.903{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402574Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.903{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402573Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.903{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402572Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.903{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402571Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.903{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402570Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.903{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402569Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.903{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0EA8-60E3-320B-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402568Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.903{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EA8-60E3-320B-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402567Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.904{7F1C7D0B-0EA8-60E3-320B-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402566Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.652{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B92E56D0DE7107603466807327B69FA,SHA256=B8B0C0AA7F50E52C44D72F147D8CA4A6EB33C39DE2764EEDD596DDBAD1C7569B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402565Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.402{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EA8-60E3-310B-00000000D401}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402564Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402563Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402562Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402561Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402560Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402559Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402558Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402557Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402556Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.402{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402555Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.402{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0EA8-60E3-310B-00000000D401}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402554Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.402{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EA8-60E3-310B-00000000D401}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402553Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.403{7F1C7D0B-0EA8-60E3-310B-00000000D401}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402552Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:40.246{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF049CA54488DAE9B9AD4E81141FC546,SHA256=DD4535660F5BBB566C28D7EC4F058C12A5403A0CAE36D0D28C08A13DD212BD52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402582Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:41.699{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE66FB26889A9872549965C0680C069,SHA256=C25E9CF2736FB0A20318E773A5DCB777470914E33BE05DD9A45C453E6E395D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457569Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:41.379{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952568D7ABBAA2E3020F80D701783BEF,SHA256=56E1625B433837C0B212EFC797877C3FA113666A8F1F145D22A1ECF654A880B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402581Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:41.621{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=524621A07265A6F4C4A51D41DB0812A6,SHA256=86B5C34869A484E759E866608D50491FA0B6FBAE9EB9FF4A97373DC2EF7CA56F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402580Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:41.137{7F1C7D0B-0EA8-60E3-320B-00000000D401}7083804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000402583Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:42.699{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C373984FFA565192A4EAE193283E0F50,SHA256=1AE4508140203DB315BC56B836AAA377262CEA9B10EA3CE0230C7300F504059F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457571Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:40.691{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457570Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:42.410{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F77BEBC3C9A6B9E9A0BDA7242C93E6,SHA256=8510FDE6230FE126509CA58FE99246216690C1780F9DF6A294BAA3EEC4B89688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402584Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:43.699{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE492D677AF98B07CDE186DC5B55F69,SHA256=7AD2394CD6751B2F29E9BF63816121DA63AFD02D6FA1B5BB9B993432B8DDCDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457572Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:43.424{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F200439B619106F2257375422DCA759,SHA256=2EF7921B8C8A6AD7C26AC69199D00244F1D9C7243FBD8E8100EAE3C356D1AC76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402586Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:43.374{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54193-false10.0.1.12-8000- 23542300x8000000000000000402585Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:44.715{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C7F5DAA6ECE124833E11F6E0637D72B,SHA256=411448DEF1E4C11E0546B28334BCD2D664E94340156290ACD5BD3982B1146CE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457573Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:44.440{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15EE4FDDF7BC2E7405BCA0472CEFE645,SHA256=B3AA8846BD444ABE62808C4A8D72CCC15A17BDDC406133477F8A7E2A93174462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402587Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:45.809{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E76C89B0DD6CF012955E0F628C65605,SHA256=5CD634F582DBEDF84D371F6518AAF5099E72C5CE5690C5D83F1561E0F46BD689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457574Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:45.460{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D967F05DD61AA217A120DA6469CB7BF3,SHA256=AFDD82E4499255B217B7822FB6E06087A117E11A531FACABABF59329042A3274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402588Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:46.824{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFACE39E49522718B88D3A9832D53C20,SHA256=0F56B2AECA3D1B4A299D813621B4BCB91C27BB9ADDD58B3CEF9DB3AE188FEF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457575Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:46.474{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7276065EFE04C7F005AF9DAB304A982,SHA256=2348C02069DE3F69C944200B98025EFAD4185D32FD685BAAA586CA3D4CAEC505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402589Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:47.824{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16A5B326D1EF6FE06FCCED7A72D7DC7,SHA256=6783754C2BC6FB33D48AAE700C9D9EE410899EE134F658F50B932CE38F0A77B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457576Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:47.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921E11B416602CB60D7FE99902F5939E,SHA256=4BF8B547BF631CB41A61FE09F5DCA79D9D35F3CDDC0848C0817AE770EB180C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402590Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:48.965{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B644EC4257A74553173F5190DAD829CB,SHA256=D70A00797CA6BBE52DCB4E04902D2EBE7DC59BFB49B55521AEDC67922954382D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457578Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:46.467{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61248-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457577Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:48.519{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D97B1E0CF72130CBE6BA9072159E1C,SHA256=D921499E3C2AAB2FA61D4F2333092F836CD4A1BFD252D160714BC9F434FA1129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457579Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:49.537{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABC218C3CA6C009E5DCDEB4B105BE61,SHA256=883E2B415C6A8AC65997CC2938F5D6399EC0F2798F3C5A2BC567E0B1319AD3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457583Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:50.585{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA2DA296C01D6767CE54E23943A597C,SHA256=6BB1FE63CF57217D75CCF2986C49044BADA57E90FF9D1469F7933083213CE688,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402592Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:48.374{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54194-false10.0.1.12-8000- 23542300x8000000000000000402591Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:50.012{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AF310C392986DCC63031E06861AE73,SHA256=0C9E1E3F7C59802B3EC9A57C221CDC56E64C2B288DE316A5845C5C9509FFADC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457582Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:50.485{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457581Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:50.485{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457580Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:50.485{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457584Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:51.600{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24A4B26E8CB022F9841311A657F5F6A,SHA256=DE04ABB94CDA6E409E0BF9A63FDFBAA9CA10D5EE48B57916BE3349BC972F596E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402593Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:51.027{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C5DCBD33218DC87721BD2F4F555BCE,SHA256=ECDFC6494A01A96DE3945FF6A5CAF6F501F404BA52C6CE894592FF54901853D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457585Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:52.615{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A223968710CB78FBBFA84AC97EF5E9,SHA256=928E5C4E90581AB5527DDEBCC4D79A0ED7988CA1934BE5BC1018B3FC5D5C8110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402594Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:52.029{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4160B563495D6D79BFA814A62DBF09BA,SHA256=971BD61478CDDDCB33A258109AB9D43781732904296E4C7D343193FBF80FF43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457586Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:53.651{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EFDCF4D6D00CDC51B1157467D1F9D4,SHA256=18BCEB19E467E755077F555D9C1A23BC7E1E666A031E3D44BB9D1CEF3CB7B708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402595Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:53.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223888AAD839F3F94435B0652D99F12B,SHA256=45AA94B1B742D8FCDEFBF4D4AF0CF865CE4585A0B1FD5FAE76E325300E2FEAD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457588Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:52.476{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61249-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457587Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:54.696{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9182AF124A88433B72BDA180472DF7D,SHA256=B3D5E058BE66F115B3D329454A12B66AD4911739BF2892CA746DCDC8238DE965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402596Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:54.032{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8243B632EB7F2E05710E336889A309C,SHA256=442DE72D3377228102BDBAFA8A4C461956B93C6D3CBE572A01ED4E53C457A3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457589Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:55.711{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD68F0D0E928A49B310CE9FE0137B7A,SHA256=C30166BA3C6BFD6F1132A6B8937E7C7B3C909A7B9FBDAB7D2B03D743D635745B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402598Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:54.348{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54195-false10.0.1.12-8000- 23542300x8000000000000000402597Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:55.110{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E384CABFD173BE519A65C16FAC23A49,SHA256=E88162C468D979C035E7AF2A626DB2DD3681EE8F38B1818401F0667BD994BF67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457590Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:56.728{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E188BB519C127E0A1D7258669898937,SHA256=88226D99E1FF7D9E9C580091B23A7934A03B5DF980C336CBEDCF7ABC10428B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402599Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:56.189{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727560103E0B208D5614F0F879D6AE59,SHA256=3A05923A33CF4BA3462D1479A2B3D51268D97227864C42D7F180A15216B794B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457591Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:57.746{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E4731A9E6BD3847E28AD3866158E86,SHA256=58EF881723ED61432F56EBBA954D240777FEFA02EC4464A682392D9B89CD6A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402600Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:57.204{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DA3B2011E7DF53A70C4D1754514D4A,SHA256=226A7689F7603B8365F808BE5EC388419FE0A7BE2161E30ACCC7939DC92F2D6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457600Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:58.875{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EBA-60E3-C40B-00000000D301}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457599Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:58.875{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457598Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:58.875{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457597Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:58.875{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457596Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:58.875{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457595Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:58.875{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0EBA-60E3-C40B-00000000D301}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457594Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:58.875{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EBA-60E3-C40B-00000000D301}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457593Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:58.876{D694AEB8-0EBA-60E3-C40B-00000000D301}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457592Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:58.760{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5426951FC866B8AD89C6DBD630514000,SHA256=1AE10B5225A1366294FBDACBB142ABA3CDA4A410FC48BA9EBAA8E4A0734F470B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402601Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:58.235{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0742566487D27ABE4F5773E7C9FC6261,SHA256=61A49F38EAAF8768274CC4AAC8EB95EC9AAFAF7FB895A89FFA809D11388A113A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457612Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:59.944{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1339622EC08ADA4E860E15B24165B86,SHA256=B003D8D1EDE716CA26BC68CE0DA46BABD55C19E33CBB1C4DA8BF42E866CAE6CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457611Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:59.944{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADCBA60EE2DF4235199EEF153C621790,SHA256=1A5517F54F8F14859785A4F03B20FE6E7A454D7D8FB5362AC06258BF015A4282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457610Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:59.775{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9506C5AE75B178F8F20C051CCFCA39DC,SHA256=008878DAFF98D593F760659C9307C4226702D94B9F94C5C968A63ACF2B1C4CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402602Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:52:59.282{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D69705D93141D3DF0DA665B47F45C9,SHA256=82A674B766EBE56FBABE876021E1B6AB30F7FD97C6CFD537681746A246C570A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457609Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:59.560{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EBB-60E3-C50B-00000000D301}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457608Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:59.560{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457607Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:59.560{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457606Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:59.560{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457605Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:59.560{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457604Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:59.560{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0EBB-60E3-C50B-00000000D301}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457603Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:59.560{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EBB-60E3-C50B-00000000D301}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457602Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:59.561{D694AEB8-0EBB-60E3-C50B-00000000D301}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001457601Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:59.028{D694AEB8-0EBA-60E3-C40B-00000000D301}65445692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457621Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:00.806{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F8F249B1D5CEBB4CBDD752D84247F6,SHA256=828A04C7E6576F57930E04064581C775B14739EB24E77C300283E84B7C41EEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402603Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:00.282{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E4BD0567765AE702AA7CFD883E5C5E,SHA256=3DE6E4D953FE02B9FA1652DCDBFD06578FA89D0C9F4BC98EF9568FE71CECD431,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457620Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:00.244{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EBC-60E3-C60B-00000000D301}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457619Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:00.244{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457618Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:00.244{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457617Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:00.244{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457616Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:00.244{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457615Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:00.244{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0EBC-60E3-C60B-00000000D301}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457614Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:00.244{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EBC-60E3-C60B-00000000D301}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457613Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:00.245{D694AEB8-0EBC-60E3-C60B-00000000D301}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457624Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:01.842{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFA0B969C7D824EBD774D477018E04A,SHA256=B0097EEBE1940358E408DA4053BF5CC17BDF233610156390493DE87EA031D727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402604Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:01.282{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851968ED1E1856070EE951EA4457443B,SHA256=F444A01AACB4A7680DE6A7AD23004D59FA3E2FB04C7FFE9DC67EB37920D31A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457623Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:01.258{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1339622EC08ADA4E860E15B24165B86,SHA256=B003D8D1EDE716CA26BC68CE0DA46BABD55C19E33CBB1C4DA8BF42E866CAE6CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457622Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:52:58.472{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457634Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:02.857{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC4AF7B9D8ED9A5C2B60AFF1290411D,SHA256=ADF1B7B98D66E1BB61EDBAA6CBF6459D82A541F8170E27FAC84F8496D0EA5D78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402606Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:00.301{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54196-false10.0.1.12-8000- 23542300x8000000000000000402605Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:02.282{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15F2762635984ED1950D5E4E914C966,SHA256=76D256A4257A453312CB03AED9392B3AA136C9DC1A7F609063623661D0E56365,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457633Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:02.688{D694AEB8-0EBE-60E3-C70B-00000000D301}30525840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457632Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:02.525{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EBE-60E3-C70B-00000000D301}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457631Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:02.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457630Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:02.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457629Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:02.522{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457628Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:02.522{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457627Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:02.522{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0EBE-60E3-C70B-00000000D301}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457626Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:02.522{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EBE-60E3-C70B-00000000D301}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457625Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:02.521{D694AEB8-0EBE-60E3-C70B-00000000D301}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457654Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.871{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6BB31616D651D5062C564FC93A5405,SHA256=81E09E9BEBD88E9E5B3623C5249340642AD863185E493E13DD590677732FE33C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402607Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:03.282{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B114684A9D9574F74CC16F208C9F4CEA,SHA256=610BF0E8829ACCE85C7F65698C30558F1753BE725D28BC0425EAA3912D39DCAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457653Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.840{D694AEB8-0EBF-60E3-C90B-00000000D301}35646516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457652Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.640{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EBF-60E3-C90B-00000000D301}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457651Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.640{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457650Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.640{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457649Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.640{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457648Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.640{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457647Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.640{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0EBF-60E3-C90B-00000000D301}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457646Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.640{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EBF-60E3-C90B-00000000D301}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457645Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.641{D694AEB8-0EBF-60E3-C90B-00000000D301}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457644Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.524{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43250AD92F740D7D6E812C10B99D2335,SHA256=B49666E081C48B3B426ADE0BD4C87F334C36568AB6F23DDA78935CD07C38452E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457643Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.157{D694AEB8-0EBF-60E3-C80B-00000000D301}34481960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457642Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.025{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EBF-60E3-C80B-00000000D301}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457641Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.024{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457640Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.024{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457639Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.023{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457638Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.023{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457637Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.023{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0EBF-60E3-C80B-00000000D301}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457636Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.023{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EBF-60E3-C80B-00000000D301}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457635Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.021{D694AEB8-0EBF-60E3-C80B-00000000D301}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457664Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:04.923{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE24D9A33306B7DAED1F8F2458ECD56,SHA256=D2DCAA0B8FA0C14E7063D8D64AB7F5570FF2357A7DF4B665F2C9D1D450E28C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402608Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:04.329{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BF4C564F11BEB79EB0FC28DBBBBB4A,SHA256=6F5D4C76624A08275F3EA61EDC8788BACFC7CBEEED3C9C2DE7B7E31A2F27A797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457663Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:04.670{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=625BDE4DFB449BE957AC4F271C88C2DB,SHA256=976EACB7AED3C67F0D4312F54E17CF886DC99E965F1F018C74C091FF2E4692E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457662Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:04.323{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EC0-60E3-CA0B-00000000D301}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457661Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:04.321{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457660Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:04.321{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457659Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:04.320{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457658Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:04.320{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457657Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:04.320{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0EC0-60E3-CA0B-00000000D301}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457656Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:04.320{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EC0-60E3-CA0B-00000000D301}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457655Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:04.319{D694AEB8-0EC0-60E3-CA0B-00000000D301}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457665Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:05.937{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFBBA6307E61577DE1FC05C5C889E30,SHA256=948E6C46CEED34E95A644801351B610ACD5BB27A348D09172AC9DC604DE41546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402609Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:05.376{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840D42C45B4F18EBC1D813FD9FD45A6C,SHA256=5E1015BDCC8A87FFF3F94C56ACDC2A9F08D83E0047E5977227D0E0DC0953511D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457668Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:06.952{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4595DE8FD29CDE2EFA7C3E9B2051702,SHA256=8E3A4DBEC09A39EFBE05252221A8C9C5D33EE3D031BB0C88E32AD5B8B99D4E7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402611Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:05.316{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54197-false10.0.1.12-8000- 23542300x8000000000000000402610Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:06.391{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57C32B1870C578C89F735171FBF3BC1,SHA256=7BBCEB7EC5A47301A34E87C5C598952C691AD7B4FC14BED62C0F2A579630CE40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457667Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.565{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61251-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001457666Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:03.565{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61251-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001457670Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:07.967{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D7C580970F2C7FBA24D66B4069F05D,SHA256=CC47D9F7C24383BBFDC50F322253DF526AF5F9E4A65422C63B0255E8D576CDBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402612Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:07.626{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB94139A077F89620FCE56B598F55F0,SHA256=D32AA465477FA0E1B747203DABE56C9722F9F8A1CBAE5466C238049A2D2D9522,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457669Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:04.500{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457671Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:08.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B50DEF6759BC5A352302914F029A44B,SHA256=9F7E54380245602521FCF0E788376DC93542F22135C78F6E9F25DB569313081D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402613Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:08.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C384C0F531B83DBD90B123E00584F023,SHA256=B060570FDD2249157E03AF822926F10C7DA2D5A77FDA4D5F752A25A3C6D3C000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402614Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:09.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8130931CF1C58AA2F92103412793852,SHA256=CE22447A38D870FDB53C1FB4BF66E82290731FCE592C7E6E373EC3308A56E51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402615Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:10.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A903BDBFF269C66642BDA85E0231E82,SHA256=20B1097EA61F4FB4267143F28B17B004A27A3EAB2D5690791AFF54BEF20AA527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457672Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:10.033{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55205A1EC3D21C6F6FA522316D8B91F,SHA256=E9FED435CCB5ABA0F643BED8F12097E493B4345FB12BC3CC1E073D4D0B4BA6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402616Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:11.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D815DCD6D9D387C78420D2A59D512FA,SHA256=D8F2E52A7A27B9F6FAA4779945DD9FA94F6F3BA376F22EFE9381C3589911E947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457673Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:11.047{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6349B3F2EAAA847E82674033EF29DC0,SHA256=D4E894E76878F8225935F6D8B465423CCC466921D2764838A5E50CACD3E2F708,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402618Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:11.348{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54198-false10.0.1.12-8000- 23542300x8000000000000000402617Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:12.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7245BA00865FED9EA08B2BA71FDA67CE,SHA256=B00CACB8BCD3EF8733E6455871908502C78DEB0023DF535B498F34C8B12F014D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457675Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:09.510{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457674Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:12.061{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5BAFA124957C58A8049DE93E138E90,SHA256=1FFF73C7C29BC78CEFD16EE650A7B5C59012AEF3CD18DA7DA1D22969A4A39C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402619Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:13.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8E37D078880B891436DDEFB11FC312,SHA256=D3626206A732701DA0D4CEA510CF421C11058265A46835353AFA17B86444BF53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457676Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:13.061{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6E87BC847BA6A1C5EE205AEF8F9BAC,SHA256=F680B567619FDDDFE87A683A8A56BBCC6752436CB4E72FAFAF3BB316807842A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402620Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:14.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D112E36C046BC9D0BF2A57FFEB011D,SHA256=E16214704944CD0E03AC03F9809B898A59AE6CC18ACFF6E6EB312E53836FFB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457677Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:14.129{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1066130A899A45FD94E52EA7EDC13977,SHA256=D79C74E537B97A10E9900C7AD09C5B80F2F404F0FF271DC3CD969616A21F393C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402621Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:15.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27BD74710C33DFA9B012E5BD2A910313,SHA256=A3934126F29A8F49ED4A7AE30FB8510E0F712F1E1039109EDEDC3C5823891A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457678Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:15.159{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C32EF40BD5E41C131DBC409647A575,SHA256=E08D32D0B0C3601E70C2E17DA00E23E09BD7570B2B09CAA747DAE446EC02C7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402622Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:16.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D34159CAB1CABB9FD756B65D6C8100,SHA256=21623585DE5C4875D56A32B4ED412FEAF1FAFD079F319D57260ED24E2C995EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457679Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:16.159{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79973FE827A716EAB12BC99C22DCF8EF,SHA256=2DBA6E439DED3F52162B5CBD9619383EB6B9590833D62FAA6A0B613169B2A41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402623Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:17.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA56AC967C02F4EE0C8813953A3467FB,SHA256=3082F6C3FDFC115F556AEB113866570E1DF350129C0251F9DB1040564D33BCD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457681Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:15.537{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457680Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:17.174{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637D2279F4857DEC9AF9AE9F0EE6B9B5,SHA256=28F05F0DB24E8C808B4A8A355811BEC015853D1FC6C663F0F0DF5E4DEE71550F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402625Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:17.348{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54199-false10.0.1.12-8000- 23542300x8000000000000000402624Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:18.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6F92B8A6640387A44253B4D0A4BC48,SHA256=F875FCD820800D33DDD802442935821996E03DD1DABA43DC114C0C7439B34EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457682Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:18.188{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BACC569915B0FE9C72DC740135736DF,SHA256=6963EBEDB13282ED9403F721D26D795A081EB4A01B751483F348170E0118245A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402626Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:19.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF8345D1CE97BEB772D49156648026E,SHA256=80DE6E153959444A01AC5999E91BBE2DD160177836315693CAB8A7CF1E3D9DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457683Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:19.224{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D399A35BD4DB8DB939FE645B7A958D2E,SHA256=48E51C6C4C50468D2CF09F8AA0944911B3AE9852440703F1B7CEB507A2A2FBF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402628Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:19.522{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-54124-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000402627Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:20.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908CD9A90289003A13FA8E621AE8BF78,SHA256=5DD69C12954E2C8501D022E78E7A954F09E9BE4BA1D4DA04B3A49A8900D9A9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457684Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:20.254{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F0F866AF4F67993415558A636CCBBD,SHA256=9112CEDD7CDD5B9FFE2A60A33C0805D8DB65C23BED6CADC2B151F3234F30821A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402631Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:21.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=958F2C0F3068B05C3E9EADC385A4D22D,SHA256=E4086470045CBA338791C86B4B861A3950C29F1E1D47C6D2F1B162CA1DB59464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402630Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:21.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30587906C413EE23AF78051990B78824,SHA256=8278C700FEE0DE9E1F36572EE58CCBDDDAE2D2516ADCF299CC028DB643A271FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402629Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:21.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604DF3882CC84B58DBBCAD6F781FA0A1,SHA256=4479F95D0C3DE3CC6D80A58A244828A53068043505F1BA30182B4DE3907C3463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457685Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:21.269{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4930FD48174AA4BD0ED5378FC2193727,SHA256=C9C9AA217C146EB52CD6783E45D797A3873B2F9474235152C675A67162A0C610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402632Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:22.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778DD58F4BE03F9F8B742A60EDB5D799,SHA256=8761F233DE2AB850F36E313E5027D1FBDC3055C4FB474C58269ADA66E4DD2C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457686Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:22.302{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B9F6795D554C44E533F0EC005741ED,SHA256=8B31937A426E7D966453A19B609A2BF7C63264D78EF2C3122D22B759DA906865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402633Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:23.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9105F8F04CFE7CAB0CE0695D0744540C,SHA256=0658945188722BFB20059D74C81522D62C5E356F388D554CCA0C14512EFC4F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457687Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:23.320{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1006CDC2D2544500E666AA64E5AE6727,SHA256=569ED14E2A99706861F5FDA88A59E0DE3AFD041BD3388E0ECF94EB8E12F67EBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457689Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:21.483{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457688Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:24.350{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1843AAB00EBE6B0862C2BBCFED30201B,SHA256=A93E42073D62E287FE67C5A003C9AC3C8C8A8FD8F7BAF1D21FCC5BE34F6BD09F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402634Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:24.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09F56F79B0EC4A4FF74F01CDC978A1E,SHA256=F940DAF6CECD838845066E57511C488DECDA16A36DDB9098D24C15F89ABCF4AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457719Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457718Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457717Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457716Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457715Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457714Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457713Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457712Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457711Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457710Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457709Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457708Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457707Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457706Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457705Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457704Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457703Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457702Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457701Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457700Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457699Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457698Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457697Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457696Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457695Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457694Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457693Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457692Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457691Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.779{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457690Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:25.364{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06087826B10930731FE321911AB24661,SHA256=92F961B01834B02E9B64AAB22F440351310AE16C43688EFD04D05333BC4E832F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402636Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:23.317{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54200-false10.0.1.12-8000- 23542300x8000000000000000402635Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:25.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42693CFB8FAD84DF1E1A968F8071C80,SHA256=493FF8F8720FB71E8989EED9E5412EADD5EE7AE64589874960B409BD39070377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457720Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:26.878{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39C263724608DEF2394703C5A51ED59,SHA256=D01A5201796BDEAF8199140960D6956D4D7C2216FF0AA7FE4D6494FE41269D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402638Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:26.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE7D1924D1ACD9C2B12109DBB9B9C4A,SHA256=9AA8F44BE98B21A5E33F3D9566EA5A5EE63EF2913499E957B2CAD0E2773C6A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402637Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:26.423{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4195353685208D1C4DE88013CC0BA200,SHA256=0A53715AF5B1A86EF0A1389035D35299C0094CBEBA0D1CFE23E862E7A70E3EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457721Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:27.895{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C10A028212F62EC50A4D55D8E004BAF,SHA256=1E7D015D03D39C23027C30BF98CBB658F4053D39E44924D44E00A93D5FB2A6AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402639Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:27.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3382D1421F853A7B2C3381F3B6BEDC1,SHA256=EB91099D6F166BFA386A2B209C57DB8F7AFB75BD2A7D1F5D1132AA3687CC438D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457723Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:28.914{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2689D2AB7A8B6A4403BFC513486FB0,SHA256=BB8F0140281CE5C8F2A6EE1A395136B6E269EE3C6C5E904D2E67A95D50C10576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402640Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:28.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C55A146ED4368C0B7528DF03BDB7072,SHA256=918E9F1674D35EB01A3613BAD2FF4097B7517027AE75FC81ED3246AADE532C7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457722Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:26.708{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61256-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457724Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:29.928{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3EC5886D8BEF2E633853EB293A0B9A,SHA256=F7E1F6526A5C601AEED17823A7262C269AB16578AC269A3D697C1CE00B8DF375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402641Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:29.688{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF707D462D672AABF000EC7D9DB06950,SHA256=9117DFEBA4DC4D5BFD67DE8A2CBB812FB4764620E6E369DD92D7F0D78999267A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457725Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:30.943{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565E58550CE43DA07C1199662056BE44,SHA256=715BEC31214E3243069F02FAA7F6C86B0991F046D6EB12C43FF4497C4D957AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402642Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:30.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C4CEDEFFFEB51E5D21EFFC309ED6E3,SHA256=10CD488D944BD7FB1B32057C8EB0987C2CA9D27742C3CB91300D485584D6E873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457727Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:31.957{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928D0D441D025B62BE62CB448543376B,SHA256=B298D0A3B6C4A0D7E149A0AD13A5349F15806557B406F5DD534E0EB4F5B84D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402648Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:31.766{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F53DB0866C4EF123CB33A71686863F0,SHA256=76579E1437A8A977CE60564130002F586C5A1ACCF9D181B07CF0747CF7A568B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457726Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:31.042{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402647Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:31.657{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402646Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:31.391{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4902CAA609D8B2B3939D994D5E1E24C,SHA256=B7E1007A1228AEB3740C6A8B1D4A4631C7300DBCC4572006B68A509D7CBC6AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402645Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:31.391{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=958F2C0F3068B05C3E9EADC385A4D22D,SHA256=E4086470045CBA338791C86B4B861A3950C29F1E1D47C6D2F1B162CA1DB59464,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402644Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:30.011{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-58921-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000402643Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:29.317{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54201-false10.0.1.12-8000- 23542300x80000000000000001457729Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:32.971{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B071DDBCEE1A96129E8B0E72AF3853,SHA256=DB5961243A46DBF15C91D4E754A980911D666A8E4426EBE5F59E3ADF45D10667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402649Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:32.782{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76D7D75693EEDADF8B9DBC558DC23FE,SHA256=6408BF5EA6796C28B51FE172622F983C0ECC5AA269709F8F8986616524D5F443,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457728Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:30.473{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001457740Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:33.990{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E79C6354A97F7577BD50CA67E28D7A,SHA256=19F969A348166B6E5838F47E8DA587977035D74DF60FE8CDE22BE07D74D4A0B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402651Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:33.798{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB89D3D36E3AC095F0A7ECFB5F6D9C0D,SHA256=AD89D48B11F2954AD74F0432236DA39179D54BB1FD8395566FCF074E38D98329,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001457739Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:53:33.408{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001457738Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:53:33.408{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01635b02) 13241300x80000000000000001457737Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:53:33.408{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719c-0xc2ad42d9) 13241300x80000000000000001457736Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:53:33.408{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a5-0x2471aad9) 13241300x80000000000000001457735Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:53:33.408{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ad-0x863612d9) 13241300x80000000000000001457734Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:53:33.408{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001457733Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:53:33.408{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01635b02) 13241300x80000000000000001457732Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:53:33.408{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719c-0xc2ad42d9) 13241300x80000000000000001457731Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:53:33.408{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a5-0x2471aad9) 13241300x80000000000000001457730Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:53:33.408{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ad-0x863612d9) 354300x8000000000000000402650Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:31.864{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54202-false10.0.1.12-8089- 23542300x8000000000000000402665Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E5CC10C227F16F19D9FFF5D5B087EC,SHA256=BD573EEA9E39383D2265F4077B115645740B9AE3E87B35D5E71F243B761EE267,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457742Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:32.686{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457741Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:34.155{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7B17CC1B365BEBAE2CB74E25A9979F31,SHA256=7DF81BABA89262DB139324AEEEE3E1EA430C1CA2D77E5D58C27829FF19A9DE6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402664Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.579{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EDE-60E3-330B-00000000D401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402663Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402662Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402661Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402660Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402659Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402658Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402657Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402656Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402655Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402654Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.579{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0EDE-60E3-330B-00000000D401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402653Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.579{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EDE-60E3-330B-00000000D401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402652Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:34.580{7F1C7D0B-0EDE-60E3-330B-00000000D401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402694Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.907{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF7052046166452D2395927398B9DF6,SHA256=63C9C43AF7B309527D4280E1A808A91955816A67C78B577AB2BCCDB4BB9AE4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457743Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:35.007{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C766FFF98E4E652D16D35C0727565AA,SHA256=789ABE374E3B240D5D04299C93F0D5A6A74FB212E08349FCA2F8B4A7D22F3A9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402693Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.751{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EDF-60E3-350B-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402692Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.751{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402691Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.751{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402690Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.751{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402689Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.751{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402688Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.751{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402687Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.751{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402686Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.751{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402685Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.751{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402684Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.751{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402683Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.751{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0EDF-60E3-350B-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402682Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.751{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EDF-60E3-350B-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402681Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.751{7F1C7D0B-0EDF-60E3-350B-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402680Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.688{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4902CAA609D8B2B3939D994D5E1E24C,SHA256=B7E1007A1228AEB3740C6A8B1D4A4631C7300DBCC4572006B68A509D7CBC6AC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402679Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.220{7F1C7D0B-0EDF-60E3-340B-00000000D401}23803464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402678Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.079{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EDF-60E3-340B-00000000D401}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402677Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.079{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402676Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.079{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402675Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.079{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402674Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.079{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402673Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.079{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402672Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.079{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402671Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.079{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402670Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.079{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402669Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.079{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402668Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.079{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0EDF-60E3-340B-00000000D401}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402667Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.079{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EDF-60E3-340B-00000000D401}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402666Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.080{7F1C7D0B-0EDF-60E3-340B-00000000D401}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402697Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:36.923{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8614186776B5710536609673766EF7B9,SHA256=95A16FD66368FC52E09BA11121CDE5EA71A23784D7E22EF588887501329E598D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457744Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:36.037{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7293396E1F9021CD281084D43D53119,SHA256=B8EADD697D1E0A3BAC2D3BB4456A441691ABF2C9891F6D106C7B13D1495EFAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402696Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:36.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC5594B9547681AB2AB9D6B4B1543516,SHA256=53489E0C36FB8865DB214F4C267A78D1C04866386292F6F2C6F4BE35BEC51CA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402695Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:35.301{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54203-false10.0.1.12-8000- 23542300x8000000000000000402698Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:37.923{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C06482573C4775B565EBF593D42D41,SHA256=ABE8523A96DEF636198BAE359FA40851255BC705B12890262C5F0310A2F1A391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457745Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:37.067{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF66E85CDE0E3F6717313CA233579F3D,SHA256=CE3F098B9DA1E9C6FD617E03470981965CC7CBBC77ECBCBADA249108423F852E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402699Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:38.938{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62AB4081D3E8D917D7D1D44B63860E14,SHA256=D092B711613B590E052EFE06C0FFA37BD378E9614C5C94357C94D28E065EA434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457746Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:38.085{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C7AC1AB80058ABA028E24A19FBFD1A,SHA256=8CE5128E92AE287FEDEFBDF5F7A57258DD809034CAFB5E93BD44AEF237DA0E4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402727Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.938{7F1C7D0B-0EE3-60E3-370B-00000000D401}37402280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402726Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.735{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EE3-60E3-370B-00000000D401}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402725Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.735{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402724Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.735{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402723Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.735{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402722Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.735{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402721Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.735{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402720Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.735{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402719Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.735{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402718Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.735{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402717Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.735{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402716Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.735{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0EE3-60E3-370B-00000000D401}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402715Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.735{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EE3-60E3-370B-00000000D401}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402714Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.736{7F1C7D0B-0EE3-60E3-370B-00000000D401}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000402713Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.532{7F1C7D0B-0EE3-60E3-360B-00000000D401}33122308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402712Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.235{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EE3-60E3-360B-00000000D401}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402711Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402710Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402709Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402708Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402707Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402706Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402705Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402704Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402703Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402702Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.235{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0EE3-60E3-360B-00000000D401}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402701Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.235{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EE3-60E3-360B-00000000D401}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402700Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:39.236{7F1C7D0B-0EE3-60E3-360B-00000000D401}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457747Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:39.086{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A651C0176B2C9280BBE373FA9BC7F75,SHA256=6DBBC630A931F690D30AB7CB4B969F3E5751F799AA1B2795F129729491D059F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402744Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.970{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD1D2A14438D1006983973444BEC401,SHA256=CEC09EBACD11771BD243D942A68ABE948D6247623CEBE6B83E44D2887F64880A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457749Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:38.679{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457748Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:40.132{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585BF65616DE75D1A53C258D418D5322,SHA256=DDF41AF658A0AD1CCF2A1CAB6ADF646C67A72A1BF580DB86695EEF5C0C086AC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402743Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.814{7F1C7D0B-0EE4-60E3-380B-00000000D401}30443888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000402742Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.470{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1723C8BD1F009AE3ED3D194F8930904D,SHA256=C380588C55577B44C44E79111C42B3C98577AEEC300392A981D5D554CDFA7147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402741Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.470{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A8C3C427AB6D7E5553C466910BEBFC,SHA256=11E9675634C7CA99522675CC1EE256E08AC66E345AD1F41C83FCCAD8F7153A32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402740Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.407{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EE4-60E3-380B-00000000D401}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402739Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.407{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402738Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.407{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402737Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.407{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402736Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.407{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402735Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.407{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402734Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.407{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402733Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.407{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402732Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.407{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402731Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.407{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402730Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.407{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0EE4-60E3-380B-00000000D401}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402729Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.407{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EE4-60E3-380B-00000000D401}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402728Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:40.408{7F1C7D0B-0EE4-60E3-380B-00000000D401}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402759Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.970{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB05FCEA9F9FCF2B8E6E1CE214794E3D,SHA256=A5557E3E4309B65BBD7A3C9CF24E41251B2F199454213520DB8B9DF9B01EACF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457750Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:41.146{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A8393471E10341C77E08397FCBF31E,SHA256=F37A422B1C1E4A045F3B6E20A507735C48B8B36440D43AF315E5A0BC4CB70824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402758Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.407{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AA89764AEFA7022683401DC8E276A43,SHA256=2A161FBA9F0F8C1BBE741138DD3D11FC74CD342A77254440D838C569BEEED1BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402757Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.282{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0EE5-60E3-390B-00000000D401}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402756Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402755Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402754Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402753Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402752Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402751Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402750Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402749Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402748Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402747Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.282{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0EE5-60E3-390B-00000000D401}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402746Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.282{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0EE5-60E3-390B-00000000D401}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402745Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.283{7F1C7D0B-0EE5-60E3-390B-00000000D401}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402760Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:42.970{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692DC7F509365E703C5D0FD3D7A3A51E,SHA256=2E4C22A5AD51C5512B4C93D3619172C93ACF01889BCD4B96A2C360907B488B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457751Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:42.161{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9754B9DDC42087A78F39E5F11F0A9DF2,SHA256=81BE12FB6BF50642E189484229508817AA3743C00ABBDB9F3D4A707877CFBFA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402762Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:43.985{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42903B9682D4C9B98E24697B3E13E480,SHA256=1FD5AA75EE90E7C5E88050F4C258661F3BAE1F0EAF6F9B69F52A9B92B8B0A6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457752Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:43.178{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087D5DC61C36F183B6A29C96E7279240,SHA256=53CF801CBAFA1D157938E84E70A22FEA1A95AD2CBC6A88684C158EE343717FA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402761Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:41.270{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54204-false10.0.1.12-8000- 23542300x8000000000000000402763Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:44.985{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBD6B0BDF3022D72B5F88A7477ED003,SHA256=682F8BC81961983656876B8C9FACA7086EDB0F552B56D62914CE567252F82F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457753Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:44.180{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A539DDDAABFA132644791E70BD7E50AF,SHA256=C922B224E429FE0EF5325116709767DB28A8EEC46DF7138AD4BCC4879F53F5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402764Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:45.985{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C1DA1826E4CA0780B3F4E0D65AF02F,SHA256=C6F8C30A18EB14506E0369BB9D1D94924603F257E59632AE39E7DC9707513B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457754Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:45.195{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593CF4765A6D9ABC15FF717702DBF5FE,SHA256=845C15DBFD40B938BB2358EE8B6B9E10D69A7D601C5A1125DC49A7F1F4586313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402765Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:46.985{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0631D63AD88D29B2070F732CA1D8F14E,SHA256=4DCEE906DCD6E79170CAF3F34C5DEDB39B3F910795387BF7360C0414E73A218F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457755Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:46.225{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB4089E06CC562D42E255F5A75969F1,SHA256=C6B67272869F07CBA5B8F877DF6562460988B9070C011426D70F565DBAD39ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402766Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:47.985{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EC4F1CFB58A94945350C7BD92FF88F,SHA256=7E68B641577A36CA412544E809B74C6DF379831C8515EC77722D3385BF49B53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457758Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:47.240{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7FCE918A6A22E413B61354D4DAEFE9,SHA256=3D56D7B64B05953E9A243C02CD41F4C7011073085AAA856D2B6803DE34D8877B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457757Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:44.703{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x80000000000000001457756Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:53:47.071{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a5-0x2d16a32b) 23542300x8000000000000000402768Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:48.985{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402F854C49DBB5F7D221F68676E766D5,SHA256=E8AF0C5CBB2A599B1DC09F393F4A6F5D8726B9CFC37E395AA3DB4D0FE426E3C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457759Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:48.254{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4601FAFB3010CD79180AFBFAEF2719,SHA256=3215A607AB0A2637EC34CE08F50174F99366EA50F68166F4EA6295C97A08EF8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402767Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:47.255{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54205-false10.0.1.12-8000- 23542300x80000000000000001457760Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:49.271{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89AC500268BADCECA7F7AFFB809741FD,SHA256=C328B9435DEFB33D32BCCC7CD46FA5E02D8FE9740CC7F9CD6903437E3C14B798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457761Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:50.289{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7E83E7682FD46F63A45E1C6A225D59,SHA256=59159BF209EA08C09DBDD9722C722BCE5F38CE0ED79646D92776E6214A570B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402769Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:50.001{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58EB15750A3F775C94FA716CB1FED18D,SHA256=D65008BC334A934BFF0E806B75D2CDE9217009E5A727A83C56480C3DBF9E1242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457762Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:51.320{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31AED20C479C3CF3060FCDA9FC392A1C,SHA256=58EC5FC4F1E53404296C42359AA34B5EC88CE73EB7536EBC882724B72B655AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402770Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:51.016{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FDB09D685D016B1D4DF2293D26B4E4,SHA256=BC35C99F445629692403F91010AD61C9647A680A6719B4B8F359F2012E7B5D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457763Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:52.350{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DEB9EF076C6CA34FD1079FAE046A577,SHA256=F6E1B661B40818CA8F58E5DF5AEAE4E557217BAF581260A77D444FBFBD582701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402771Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:52.016{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E80E70D83383FC4FD49596F74B79EF,SHA256=8FB76A797ADE08A10C53A19B143DF1B2472BFD348DDFC58836307A0ED7642589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457765Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:53.367{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE707274F100DC70E9FAE20BA908052,SHA256=7D30E4E6C0A5BCD39ADF2CE58D5B28FFE523F61BCC64AFC0834842B676FA33F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402773Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:52.442{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54206-false10.0.1.12-8000- 23542300x8000000000000000402772Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:53.019{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8522D25C6927E4C8A50B981107B8E6,SHA256=0201037758E45F7706B380DF4734AB70F582E1DC096CE276137FE8AC7D3850C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457764Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:50.466{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61261-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457766Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:54.385{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3763C2AAB95D7CF65E7869D63B78A042,SHA256=7AA4559C6C9FB3E464E7AB1A1522BF96B9C8CDD2D1940D6C06F6A842C345F43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402774Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:54.064{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E072F57D9B3080CE2723D3E5D1422F9,SHA256=4D694BEB658B286184254786CF105F8A2875BAFE1970DFF9E2C1DB6D4136F0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457767Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:55.399{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4B60BFE58FE2C593381A2153C6F697,SHA256=3567DA72A426F25454BD5DE8E4CDD57A8FE0DE0DEAF272E2645100C25B5380C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402775Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:55.165{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB77CFE62D562C0760656D2AD71603A9,SHA256=72117EA08254B18A36519B8BE5DC80184A82DF457ABAEB5A1AFA666BA532E619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457768Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:56.446{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FACBDC2CC54AC76D24AE8CFF2EA7E4,SHA256=7A7113F33312B73A2138E7B96EC88115F19F4D7F42B306E4A2711CF30608283C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402776Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:56.197{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6D991BE52657A5F55C3A08BF8CEF47,SHA256=474868A2693B2550F207DF30409F4C466AC19CD06749A00FF1B030294C5475AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457769Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:57.464{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5ADF00B3FDC0A1A9C753AB7A69A9B8,SHA256=E085DAC0A9BC7286B27356E6118FD7271F63363D340B937332BD1C11B0192D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402777Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:57.368{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A565DD6BB3A56FBEC263B4AA97A073B9,SHA256=6A98F26CC4F846FC4CB187829BBE13EF773DD2DC2EDF84374B53C45C12EED66E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402778Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:58.384{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=869629BA6EB420BC6C80DE59B2642B4E,SHA256=EECA4AEA1C922FCF884A66ABB1C456442B1AE607184DC1E3367907C4F2EC6EA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457779Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:58.896{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EF6-60E3-CB0B-00000000D301}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457778Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:58.896{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457777Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:58.896{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457776Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:58.896{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457775Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:58.896{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457774Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:58.896{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0EF6-60E3-CB0B-00000000D301}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457773Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:58.896{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EF6-60E3-CB0B-00000000D301}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457772Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:58.897{D694AEB8-0EF6-60E3-CB0B-00000000D301}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001457771Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:56.491{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457770Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:58.481{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C75E576DC9A6465716C4B7396D50504,SHA256=072A8A42B00B7B2B8A6B2E56D7381ACF8041529AF34A8451E34D210074F75E6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402780Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:58.451{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54207-false10.0.1.12-8000- 23542300x8000000000000000402779Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:53:59.400{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6E170ED10CCBE38744BE8699FF95D1,SHA256=BEF5ADF1465AC065022D68822E27B4640D2CA59CA953384A518C4B927523ABDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457790Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:59.910{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE52D99DCA67E29064A82723AF8E66EC,SHA256=A114D9FE9938CC0DCDCF84B41CF261B857A262684B1B524D0DBAEB4B7A6EA5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457789Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:59.910{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEABF4A6A81E8046D0401E50E01C2994,SHA256=7BE241DDD051B19072B191A0E56033C22A200CE867F7459278B4CDDC2C7B1E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457788Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:59.511{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD6FBCA8118604BB7FD2F816AA3C498,SHA256=BD23941E0D6A0A91F29639411A847253A11783651DCF788C5F6ECEB73844CDD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457787Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:59.396{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EF7-60E3-CC0B-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457786Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:59.396{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457785Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:59.396{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457784Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:59.396{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457783Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:59.396{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457782Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:59.396{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0EF7-60E3-CC0B-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457781Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:59.396{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EF7-60E3-CC0B-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457780Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:53:59.397{D694AEB8-0EF7-60E3-CC0B-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457800Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:00.563{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76058C4A8C5D75CF40D76A3BF3CF2ED3,SHA256=A211D73F0E2EBE8B2F1537A1FE6327A1E46119619F728C70EA1BA4F1873B0D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402781Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:00.509{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657DDCB5CFCA6C46DACA9CF0F38610BE,SHA256=56C397BF06E82385E68A58C359FEBD3385B77B868DD51E2D79E5623FA761C511,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457799Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:00.210{D694AEB8-0EF8-60E3-CD0B-00000000D301}59482228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457798Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:00.079{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EF8-60E3-CD0B-00000000D301}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457797Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:00.079{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457796Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:00.079{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457795Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:00.079{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457794Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:00.079{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457793Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:00.079{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0EF8-60E3-CD0B-00000000D301}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457792Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:00.079{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EF8-60E3-CD0B-00000000D301}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457791Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:00.080{D694AEB8-0EF8-60E3-CD0B-00000000D301}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457802Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:01.578{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B7F9508EFB183259447C9C65686A54,SHA256=23CDAB93436BA725256F3AA7DC7B2C4EEF19F32EA762331C7FB871ED340B9FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402782Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:01.556{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E69A1E0F193DBB1462707933674CB54,SHA256=982F7A41FA7FF47EA5DBDE51728018AFDD016DCD92FDA4F255F7F9688389AA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457801Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:01.125{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE52D99DCA67E29064A82723AF8E66EC,SHA256=A114D9FE9938CC0DCDCF84B41CF261B857A262684B1B524D0DBAEB4B7A6EA5AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457812Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:02.692{D694AEB8-0EFA-60E3-CE0B-00000000D301}66806272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457811Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:02.624{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6516764E563081E9D73FEF5559A74D82,SHA256=41C2194A00C6835258547A359142B507AF55021BE6A8D2BE7CE8F31D144CD083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402783Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:02.572{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9DEF580F4F5D52857A9527D5F9C2D8,SHA256=6A2A016B7BE9869D8A3D4E9F70DB7B5E19BA93C5051606AF7110447CE4CBE443,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457810Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:02.523{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EFA-60E3-CE0B-00000000D301}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457809Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:02.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457808Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:02.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457807Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:02.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457806Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:02.523{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457805Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:02.523{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0EFA-60E3-CE0B-00000000D301}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457804Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:02.523{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EFA-60E3-CE0B-00000000D301}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457803Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:02.524{D694AEB8-0EFA-60E3-CE0B-00000000D301}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001457831Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.864{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EFB-60E3-D00B-00000000D301}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457830Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.863{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457829Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.863{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457828Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.862{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457827Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.862{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457826Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.862{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0EFB-60E3-D00B-00000000D301}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457825Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.862{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EFB-60E3-D00B-00000000D301}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457824Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.860{D694AEB8-0EFB-60E3-D00B-00000000D301}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457823Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.640{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9668D94514486FB7FF3EBBB8E1874276,SHA256=4A389F64E0F1AD53B9E033E60366E67F0272160EDCCF0AEE300EAB6BC6E99111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402784Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:03.572{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E624CA52FC80C1ED1809E45E68DCE479,SHA256=020C6AA240B0CBD138E0D77015B9E474A8DC0E5970663238B6F6FC1C76D5DBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457822Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.558{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F3F3E01826B721AE74E7DF794045C12,SHA256=39DFFE0865FCBAC22F37C14A2CD0A9D3896D72060A313B5E120D648312549AED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457821Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.327{D694AEB8-0EFB-60E3-CF0B-00000000D301}67565716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457820Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.177{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EFB-60E3-CF0B-00000000D301}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457819Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.177{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457818Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.177{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457817Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.177{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457816Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.177{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457815Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.177{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0EFB-60E3-CF0B-00000000D301}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457814Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.177{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EFB-60E3-CF0B-00000000D301}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457813Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.177{D694AEB8-0EFB-60E3-CF0B-00000000D301}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402785Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:04.572{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9FD360362CC47C3E663A1AC146B31B,SHA256=808FDC221AE2C2576A284F2AD44A63EB7EFBF1317974ED97EB5B326415B127D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457843Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:04.879{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C151649CA6A609425E75C905EC5922A,SHA256=A7D32464062D703FB978428D7650CCE35470E08038E54228EB4F3F6B015B4FB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457842Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:04.680{D694AEB8-0EFC-60E3-D10B-00000000D301}41644220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457841Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:04.642{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1E183EFF989B710DDF57AD8FB5CBA2,SHA256=AD11E260155763AAEF5A1E2DC7E2F7C5DDD7867034FFB184CE5223DC6A554BCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457840Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:04.542{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0EFC-60E3-D10B-00000000D301}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457839Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:04.542{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457838Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:04.542{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457837Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:04.542{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457836Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:04.542{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457835Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:04.542{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0EFC-60E3-D10B-00000000D301}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457834Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:04.542{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0EFC-60E3-D10B-00000000D301}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457833Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:04.543{D694AEB8-0EFC-60E3-D10B-00000000D301}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001457832Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:01.701{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61263-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000402787Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:05.572{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA664922D149009D3987F98CD67A9806,SHA256=963615DFBEA0913E8CBE5DAD4EE790E9633FB4E86450C8319976FF5434235464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457846Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:05.660{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EE34CD481AC99145E1AD5B490785C0,SHA256=ED3FE95B9BD71CCEDF621052A59E8099A4485F086A32D2AD064B776F73874642,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402786Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:03.450{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54208-false10.0.1.12-8000- 354300x80000000000000001457845Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.574{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61264-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001457844Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:03.574{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61264-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x8000000000000000402788Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:06.572{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51335FEC3DBABB53573A0E6CD0BACD4A,SHA256=6A6A417DCEC72F4496B10DF382A779F9ED7A5C9AA988E79B6F31680D21783DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457847Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:06.678{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6706376DD718A125E6896176604D62,SHA256=E51B6558E6989194DA30F0893A8B9697A0F5475E00F499C3ED63C4B8D8979850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457848Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:07.708{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8249E1998C8C7200BB2B3AEB96A510,SHA256=DA59BF6921C0C6CF008548CFE782E885A5C5DC01D8DDD3BAD63E117161E81851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402789Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:07.572{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C4A6FBEFB519F8664AD0F49C05F507,SHA256=CEC40F9E195F64DBE679A063490430B95111A6B6964FA5B3290C3ED23C217E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457849Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:08.722{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78916390E1B593CE9A22B7072CDB077,SHA256=ECC288FF503BD0E4330579F0F4D020A539D3E67CF23739974BF3791FD38CD286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402790Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:08.603{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631E908E9EECD001A34DA19A6BD9CD6B,SHA256=756306875833AF940D287552E042162DA4156110DAFE7D8A5386C59C883243EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402791Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:09.603{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477951608C808B22D0A398E2A9FBA9C8,SHA256=F4D3956BEA0E1B49BD0C5CAF14A8EA3315332C604F679E176A5210812D9A2710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457850Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:09.736{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AF67B5DBFFBAC3BB8F0FEE44D0E7B2,SHA256=0B074A1408AD19E7F40E4FEB120295076FB7EEA97949AA44C7169949D081AB9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402793Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:09.435{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54209-false10.0.1.12-8000- 23542300x8000000000000000402792Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:10.603{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED787CD7891A87E9E41FC22144383CAC,SHA256=1596363EB6EC4B84062AAAC15AB344DAAC460DE8F36AFB50D2FE145D7B3ADD5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457852Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:10.753{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9D3027C7780A297D918A6C7C9FFCB9,SHA256=952BC7748F358473761B0E43B646C1BA7DA08EA806886585C4E2E4516A27D40B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457851Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:07.485{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000402794Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:11.728{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11472D9C44F966E537B9F62ECCC73BC0,SHA256=A041FC6D556BC1D699D4AA1607E64D9BBB354557758552AFB237776BFBE66DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457853Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:11.755{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8776BC22096933B94196F0E4CCE0A6F6,SHA256=93A858E4C0241D715A43363C16C11B33A6D7FD6D0E8E68CF5C99190012B6F5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457854Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:12.770{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815A88B8F2E3A0C0EC55439F75E810FE,SHA256=52027062C4F4A5001B3661DEEF7C4582863D8B45CB176F9F2B3F9D69F0777181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402795Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:12.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ACB051A948381A6977F700865F730FC,SHA256=68653BFD3FAE33797D45DCEA875015361424592D9E248317982B6BBE9D288C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457855Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:13.784{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C819A0246EB616DDEC59ECC05EE1579,SHA256=10428C09246AB4705CF0599F334B4FA5FC1D2A336458487B0719DFDA750970FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402796Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:13.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B347DBA978E3F0EA55347D26D7FA4F46,SHA256=69A5166A13BFBE92CD15B90BF32EB5C35857038EB46F0317321F99A12FC33528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402797Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:14.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07EBA7B30F87A0E64531FF7FDC6F727A,SHA256=1CB0DD520CA9C340D91A957D79E78DD1634C863EC431EB947C15E0F5F629C6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457857Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:14.798{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111756EF556660E50E04BEBEA2F2DF10,SHA256=44D928040C9699B48D216F145BAC677CC8086DF0E17253A354147AE35B0660E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457856Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:12.547{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000402798Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:15.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238B3D49B8C62A4E3D78806478DA3E2C,SHA256=668B2BCDAEF696FE15D61C7B0DEA6EAFE7BA90991A67ADE31570ABA5948B921E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457858Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:15.813{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BAEA0B2B92671A7C7AC2E53D73A424,SHA256=4A1033087E8E6DA5D5D123A33CFA2B7666B51F3AADF0142AE0935B19B8734975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457859Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:16.845{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6D4B2ABE818ACEDBAA79D54199A53B,SHA256=3E05FA27F63D722E11A038454E98FF5FBFAF3DEFD916E1AE31CF41410006510E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402799Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:16.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389E05535A613B17110E3FE4F2EE341C,SHA256=FFC865284CD5E0B4E7B3AE32C93A656EC221FF8F5DA5F706F258510872C1EA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457860Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:17.880{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E0A5356EC26F49D87D80C61B428EB5,SHA256=7C6F9AB046741BCDC6548993DC3DEF5810907D13AB24E7D331503DD784CAB900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402801Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:17.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E03857A30FE16D97C5EB21EE47CC34,SHA256=7B39094561E216161AA420EB4D8E5B91E969D7FAC20FBB0C6084398507FBE437,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402800Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:15.466{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54210-false10.0.1.12-8000- 23542300x80000000000000001457861Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:18.910{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A76286E36CA2D3C6C948B97F4018B6,SHA256=217B4388B2BDA40D1C76FBA425FD1F62AFF8CEE4F00398F1023A6C44E4092B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402802Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:18.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F11BD73DD2787FED9ECD16A56966E75,SHA256=4AEC409331CA036B5D01623812C4F0400CEEAB7700645393CC81BF049D87A8C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457862Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:19.910{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC11DFC627DEF727F9C4BDEFE259E53B,SHA256=CA883B79FD9337F298AA2F1B21A4A346ED9725A3AA9D9EDF9BCE709AE5C61D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402803Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:19.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84067FD1613AC5BAFEDA80EFF5AA08AD,SHA256=2EFF18505DFE8056801392C08E4BB3732C8351696E42930932EA154AEC9357C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457863Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:20.926{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7375ED86C139991C07DB0465E20C179C,SHA256=F678779983BBEC56386822A9D6A8CBA74AE5F9478DBCA89D714E9D0BE6312A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402804Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:20.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68AE85F3CED3531DBCC566204CC79415,SHA256=08203776B938A3B5843011DEB6AA6A4A0A4BBCC7CF86B4CF75916A938DACDDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457865Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:21.946{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976920BBFD49ADC5295C69FCDDC629F7,SHA256=061EF6FDAF0D48E93D139594FDF7B19F17904AF5CD09D96E8E571237870E4DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402805Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:21.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69057E7DAFFAF267FF9956A725BD08E8,SHA256=E1877F9AA908C065F225C2A7092893F5B277B900F99916623AAE09274584CF44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457864Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:18.587{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457866Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:22.961{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5782EAB14DB111E89E6C2C6A4231A0,SHA256=0B14D9181DF2DF14341C68CD2E02400E97D6FDA16A61CE1C80E6DFACD2FE69A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402806Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:22.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4595EC60101DD2CC65F28E4FCDB3F5B5,SHA256=C1C2F5CDDD4159380ABF30B37D8514203C9AF17F920B63A4CE9EB707397FEB16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457867Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:23.961{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B8519DA8823DABFC3B0C2D83406772,SHA256=23A18B1F57F9A770D0C9A57D262797357C96FFC926C6B4ED0731B45527E79E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402808Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:23.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280DC0A034D3FD184183928E4B5FD4D3,SHA256=5F269A3C2D591A215BE1DBBC5CECF112465E99209AA744091DE07F107C8AE8C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402807Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:21.451{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54211-false10.0.1.12-8000- 23542300x80000000000000001457868Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:24.976{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A7EBDBD0B2BDF1C7C1B91595EE138F,SHA256=D734B3B620540D8B04AF3F21A524FA94E5E96EAF33D1B1ABA20E460DFF9ED1DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402809Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:24.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FEE20159ADB1CB0001DD106693B560,SHA256=61AD0C0DC5B063218C7909EB923798744637CE38AEC11EDBB8F2915A60E084BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457869Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:25.991{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD46AC5B9C44DEBBB82D6A09A8FDE08,SHA256=93EE8ECB67C613FF031F6553E48C80741EE8D70CE83C3FE33F7E24FA466ED535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402810Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:25.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354071F22D30356C86E9F4C6B430623A,SHA256=6ABD2CC21741A3A6255CB5CC240C66022B3A03232ACDFE8387E4EFEF090AF3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402812Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:26.743{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBF34CD98EB9BD03B84B8F0B7E9BD0F,SHA256=69A250FCA7FEACD07DF8B0AA738AF28EB903AFC491A53CF04CA310DD4EE5D7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402811Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:26.431{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9C2E379F867EF6920EEFA914B2990210,SHA256=DB26F8752878DE177D93D050404C37B6F815D801D0DC724C0A61D4BAA9C5BED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402813Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:27.744{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB42340EF9290F0F9709DB657ECD223F,SHA256=39F58AB0C66F7D8005FC82CDF0433E79AE1FCCADFB7D96C6B76D3AE3E127B20F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457871Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:24.606{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457870Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:27.006{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B2F58E897141B042DAC3BB3DCF1E47,SHA256=58555091F0B3D4E1BEB93E9B4225228BC062077A7429C963484B66555EBBAFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402814Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:28.744{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B377D9595170DEF1232C27977B7256,SHA256=45347FFA09CDB39B6B711DFE6068B4C747E13791C52FA3716F6C6D5E69527D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457872Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:28.020{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CABB87F25DC3C4A805A007F850436FC,SHA256=A02E7B006D108E63320FE83014ECF28CA4B0A4385E32EE80927AC2CAB8B88B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402816Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:29.759{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437407DACFCA8596D77DBC89CC1F75D9,SHA256=692D0C7F9D431661F5BD5ACBAF8793848555A2910A0A7D52CAAD30289B912DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457873Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:29.038{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B64F3F3EDC4A948159A36105E73710,SHA256=FAE2F0ADEA630159E96D94A4A5ED76A8B1636E1EABECD43F86E433B4DA854AFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402815Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:27.451{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54212-false10.0.1.12-8000- 23542300x8000000000000000402817Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:30.759{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1335D4E842C8E82131D5020D858E6D01,SHA256=D57A3C8C1E941B9F7CB33A4B6D1B9BEE5B54D153857F77B7775DCE9E86748633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457874Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:30.056{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D43A53353CE434F7543A1F0FC83A408,SHA256=8AF203237ED8ABE28413204B8A1C75CAB4BE1E9FDF884B32B9EC445A4C25E8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402819Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:31.759{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D99CC075C92D9127BE7E4CCD2E36BC,SHA256=2413DEE18B96AFE13FB92006DD1F987C6B5D05FCBB4FA4828E76BF55A902A693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402818Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:31.681{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457876Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:31.102{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFF0C0BC7281B5267AFF6DB6606F1B0,SHA256=8457C91BF2007F665DC53A72F9ACD2CB12416C491FD36EF66ACA302169B2F150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457875Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:31.055{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402820Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:32.759{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B64200D51C526C78605A6158752FCCB3,SHA256=32569DB01A93278EDB5B7DFDD1F3513A939A52268E29CBA876E35A059544B278,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457879Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:30.617{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001457878Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:30.501{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001457877Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:32.116{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE2114634AC5D3B9953FA23F72CB308,SHA256=F952857CB9C6086E59704498DCDD62CD3733F7BCEF3E863D61085515231290E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402824Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:33.993{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AB33D395B2380017F3AAB74A894152F,SHA256=59588507EF059BB5454C4714A80856AC143FD8011A352A7FC48180D9CBA28D1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402823Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:33.993{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=687AF5538403A3D81C940BF08EE2E03D,SHA256=46B966D033479A10A140C2F877913CC268581C535185B7B9982BB4734F19A1A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402822Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:31.889{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54213-false10.0.1.12-8089- 23542300x8000000000000000402821Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:33.759{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3475BA8D757A1536126E6B59DEE09AF,SHA256=89667246EC2EEAE37458A485B95D1BB136DF2F5AF5DBDE2385645A32C9DF8A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457880Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:33.133{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F30338A5AC3243981F3B32982AA8612,SHA256=334BB370E52F618A76DD61EE292D880B458465A2AF23402EE959AC1E1979E698,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402839Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.869{7F1C7D0B-0F1A-60E3-3A0B-00000000D401}36361444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000402838Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.760{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8CEAB014E884F4CD12A8DEA55A4D046,SHA256=3EE85ABC6AB2038408053F8591D5CC404ECD89C9C3815427196E1B0DE27F3D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457884Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:34.699{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56C6408EBFBC5FA15F513313CD6D9DD9,SHA256=EA4FF1ECE6EBB20927691E7A7ACF3027551382C90D41B92669AFECB1C183A0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457883Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:34.699{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B86271E289132D193FD6D606D5B8930,SHA256=E6FE355E370736F9E372F065910F5CA8B3C7C2BCCAD65A68454E70285C16D506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457882Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:34.168{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEEB3CE75261638EB796FB9FFB395B1,SHA256=A563041770CD5256CEE2531514C344F3CCB5C9AF3E74FB822CB1C40559986502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457881Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:34.168{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E7373894C4F6F595F5AB90A89CC39EB2,SHA256=16E80270B44460BF76983E261F5727B52D36B1ECB261814CCE0426843EF7BAF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402837Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.572{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F1A-60E3-3A0B-00000000D401}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402836Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402835Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402834Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402833Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402832Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402831Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402830Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402829Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402828Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402827Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.572{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0F1A-60E3-3A0B-00000000D401}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402826Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.572{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F1A-60E3-3A0B-00000000D401}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402825Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:34.572{7F1C7D0B-0F1A-60E3-3A0B-00000000D401}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402869Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.806{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C101C1A8D393A5EA5D2C6C821F84429,SHA256=617D6970EC9C52EFE3CD1BF96B93F488BB570B8DBBB38B33F48B8C1CAA435F22,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457886Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:32.891{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-39225-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001457885Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:35.183{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C608BBD510964983BACDC5D5EA3E2728,SHA256=1EF678C772430AC59FC610EB31DAC0262915727FC573469615C0A8EC88CCCDD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402868Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.744{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F1B-60E3-3C0B-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402867Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.744{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402866Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.744{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402865Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.744{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402864Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.744{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402863Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.744{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402862Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.744{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402861Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.744{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402860Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.744{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402859Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.744{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402858Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.744{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0F1B-60E3-3C0B-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402857Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.744{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F1B-60E3-3C0B-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402856Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.744{7F1C7D0B-0F1B-60E3-3C0B-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402855Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.618{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AB33D395B2380017F3AAB74A894152F,SHA256=59588507EF059BB5454C4714A80856AC143FD8011A352A7FC48180D9CBA28D1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402854Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:33.420{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54214-false10.0.1.12-8000- 354300x8000000000000000402853Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:32.946{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-59446-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000402852Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.072{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F1B-60E3-3B0B-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402851Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.072{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402850Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.072{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402849Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.072{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402848Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.072{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402847Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.072{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402846Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.072{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402845Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.072{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402844Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.072{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402843Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.072{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402842Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.072{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0F1B-60E3-3B0B-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402841Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.072{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F1B-60E3-3B0B-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402840Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:35.073{7F1C7D0B-0F1B-60E3-3B0B-00000000D401}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402871Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:36.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643D94E7A1A61843A4247BF3774677AD,SHA256=D632ABB794298847922E5200BD433519A7637B69927E0C026A23863E73F037A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457887Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:36.197{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E0D6A64BA548A4DEB33FBF733CC9AE,SHA256=6FB29E996D2E7FEFA0243DB9BE443A9D74E577EBAA65E857DCED935A45533483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402870Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:36.775{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B5AF0F975B544CD7BEE1E76C34D6B8C,SHA256=3524AE9490F64CF9F838037A65651265E91B8402EA0083D8B72D4B8E057F142E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402872Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:37.837{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9342C7480378ED8F71ED8C1002EFE312,SHA256=37FA2E35C72966A5666CAE1A2FFA7A586E30E46F4905FA3062FBE0ECD6DD6C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457888Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:37.212{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B78B07A3DE70356641E2A53850F273,SHA256=031CAA9317F9085B997EFDB4A66CB11DC11D81DEC8A998452814C3C649B87966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402873Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:38.853{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5340615A2C6E22AB2B8AC939B1919E0,SHA256=871759DDFF55217F9D4444248631118C24C8926431609E53760A8B921D17493C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457889Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:38.229{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFBFEBF2DCDA7D180800560AD2952E2,SHA256=F02A2620D78A5E0A809202CC168294A00F8B251AAE7FFDC32C020069E29E4F80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402901Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.900{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F1F-60E3-3E0B-00000000D401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402900Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.900{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402899Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.900{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402898Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.900{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402897Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.900{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402896Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.900{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402895Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.900{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402894Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.900{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402893Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.900{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402892Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.900{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402891Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.900{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0F1F-60E3-3E0B-00000000D401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402890Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.900{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F1F-60E3-3E0B-00000000D401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402889Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.900{7F1C7D0B-0F1F-60E3-3E0B-00000000D401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402888Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.868{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B811241DCFB18FD3DF08E258D9CA703,SHA256=A73302897ED0520480C7326E65F07EE7D46ACDE74A898DCBCF6D51784CC2ED1F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001457892Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:54:39.625{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a5-0x4c69a5d9) 354300x80000000000000001457891Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:36.611{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457890Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:39.262{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F58944DC786B3B75AB084A01571FA88,SHA256=9E1C59E4BB5B14CF33329406E4E9B046E75BDB337D1FEA2B7F1DE013BCFE1643,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402887Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.415{7F1C7D0B-0F1F-60E3-3D0B-00000000D401}35282704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402886Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.228{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F1F-60E3-3D0B-00000000D401}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402885Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.228{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402884Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.228{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402883Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.228{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402882Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.228{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402881Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.228{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402880Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.228{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402879Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.228{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402878Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.228{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402877Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.228{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402876Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.228{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0F1F-60E3-3D0B-00000000D401}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402875Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.228{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F1F-60E3-3D0B-00000000D401}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402874Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.229{7F1C7D0B-0F1F-60E3-3D0B-00000000D401}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457893Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:40.278{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DEC50DE0F292E05549574BC1CADD8B,SHA256=6FDD4218B59C598DEEC90F3F4F09C062D0E06D206F1AB94D4B80019695599938,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402917Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:39.420{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54215-false10.0.1.12-8000- 10341000x8000000000000000402916Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.572{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F20-60E3-3F0B-00000000D401}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402915Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402914Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402913Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402912Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402911Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402910Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402909Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402908Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402907Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.572{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402906Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.572{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0F20-60E3-3F0B-00000000D401}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402905Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.572{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F20-60E3-3F0B-00000000D401}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402904Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.572{7F1C7D0B-0F20-60E3-3F0B-00000000D401}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402903Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.244{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4B47EFCFCA3A6C8A336BF7105A4DBB8,SHA256=F635A52C81B3752EE37E648FA6D19F5C1A3761581A1D282578B26F79897665C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402902Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:40.087{7F1C7D0B-0F1F-60E3-3E0B-00000000D401}19362812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001457895Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:39.055{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-201.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x80000000000000001457894Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:41.293{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F1015CA3A6C0FDD035C2D4BF23A92B,SHA256=492B6234A040CEE240096C561C8D144602115580712B927059CF2E1F09EAB800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402933Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA2BE52F14E0438E9E729F62DC0AF13C,SHA256=EA89A79449102EDC060BD4235F7F06B35308B9D1B63A7C3A4F1ED801871BFC18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402932Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.275{7F1C7D0B-0F21-60E3-400B-00000000D401}33401648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000402931Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.087{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46B8028E4678634BEBAD8F75F762474,SHA256=837885E4D76A0C66ACE45953CDC10F5C6D7B2CCC2E8C5E0329B950769F89192C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402930Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.087{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F21-60E3-400B-00000000D401}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402929Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.087{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402928Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.087{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402927Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.087{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402926Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.087{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402925Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.087{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402924Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.087{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402923Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.087{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402922Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.087{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402921Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.087{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000402920Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.087{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0F21-60E3-400B-00000000D401}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000402919Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.087{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F21-60E3-400B-00000000D401}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000402918Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:41.088{7F1C7D0B-0F21-60E3-400B-00000000D401}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402934Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:42.306{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FF903B0BFF9B3F959553666E50D1D7,SHA256=66DAE30736C4B2797383533202478EF441FF085AD4D37BF17142077E7F68B099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457896Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:42.308{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43F246B9E34D460284F23C79F0D94DE,SHA256=5E15FD286FCC50E8A6421C1541AC03246ED3467EC504A41CF9E591A103C05D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402935Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:43.306{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6988D0539AF0729601B618B6AD92FDE3,SHA256=1FF14148AD3A5EFFDEC9A5D8D7C01B6EE4532D952E3B5A204FFF625F06DDEE1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457897Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:43.324{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9200218AE90328806421E3698E8B53C7,SHA256=BCEA52383A8B33533E5A77C8D6D2EB9D754BFE6CB20E53A7A120935B7D35A3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402936Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:44.306{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BC45EA1D934FF722B484F605617FAD,SHA256=4ABD789E602B8CC59B7F580DC90EE331E7C028056DD4378790CDE1BC26EBC81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457910Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.758{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\pending_pings\6721de7d-6b44-48a7-b08d-c6aa7ab80deeMD5=878F13C4831999861016E16C71137367,SHA256=F37D9FB5A437F9CB1C4E533B9EB748175F32936A83F0D9C9FE36D8556550C31C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457909Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:42.589{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457908Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.342{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3672273B5A11D03D00412C229A7421D4,SHA256=A582BFCD2A0456D67802B75A749F5225034AF2E5B67E8C55B47BF3E573CC7C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457907Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.242{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\aborted-session-pingMD5=B1AB5EF5E179C7CB8F8E757138CF917D,SHA256=805833E896EE82E213488581F3A0AF9F50FD6DFF42E0A46892BDE4C31B57513F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457906Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.227{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=A7143C8F15B54FBC372C23AE35C6A435,SHA256=784828F6248CEA4B9C6B8A8AD7675491E3B3ABD2643D44BDC24BDD36BB07FB99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457905Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.227{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=CE5A72CD75AD889E8AFD93993B5D715E,SHA256=C0E629A63514CCA06D8DB4837954AF8E0EF6721FF092BB1D9536CC1DD7E5E0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457904Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.227{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=D6AF1D07E63F95FC1E7ABCE1DF332BE4,SHA256=178FB8A915F22B84BA8D042094A705696E5C8787691967D4FF540833F15979D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457903Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.227{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=860CD7A68D9370B0D255343369101BFF,SHA256=17C2F345217D745FAB965A884A7BD03667EA35A0668917A1055F32A1165EBA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457902Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.225{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=75A8954E0AC50857D0D1D764B1A23B1E,SHA256=D5C4B42B63340AA084D7FB6370DA624E8B3DE0EE064BB4C419E34F84E1672309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457901Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.224{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=75A8954E0AC50857D0D1D764B1A23B1E,SHA256=D5C4B42B63340AA084D7FB6370DA624E8B3DE0EE064BB4C419E34F84E1672309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457900Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.223{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=E84BD082A39A83B4D834E7AFCCCC1A3D,SHA256=001A98DB12B3823090EACA28455B5F8876DEBDA68AB09D6FD2273FF2CAB973FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457899Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.221{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=7C67F0C522E3F10A2E6D0BEB9AE42B8B,SHA256=1F686C33DEE9FBF9233722F12BD8C65C6EDD0316B88F5A7DC027D3A976F9E4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457898Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.205{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=17BA6DA0DF8006C3017FBCBAA44ADF45,SHA256=F5A67937D742542C85045F6B1E58C270D8035B5A4CD9077372B8BCBC8547FBCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457916Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:43.685{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56827- 354300x80000000000000001457915Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:43.684{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60903- 23542300x80000000000000001457914Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:45.343{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7533539E8934F6B3F36BD438C39E12D6,SHA256=0E8C889018144D3718CF2A01BE69EA5977799209F001BD5D5D9DE9CED16F0172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402937Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:45.307{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB180D4BD56BAF9948F14D102FA455A,SHA256=BD880B3CA225CE00D10BA6AD039E340D65EFAA0BBDA56735E4910B6B2171A5A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457913Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:45.059{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457912Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:45.044{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457911Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:45.044{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000402938Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:46.322{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F568737E7B1ED3CC02D94505E3313A76,SHA256=8BC1548CBD66AFBF3E68EC4A9EF290CB5D683952A1B81BE160E9E3D747DE7AE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457922Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.548{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local61275-false151.101.129.69-443https 354300x80000000000000001457921Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.548{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local61274-false151.101.65.69-443https 354300x80000000000000001457920Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:43.823{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local61273-false52.27.200.224ec2-52-27-200-224.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001457919Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:46.391{D694AEB8-D133-60E2-1404-00000000D301}42124344C:\Windows\system32\taskhostw.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457918Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:46.344{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C52C401D32D91ABD9FC4C73F0B4F456,SHA256=B0915F0A2E730B2FA6C3ADF5E152275DC2FD0DFF60129A123554D069907B36F6,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001457917Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:44.228{D694AEB8-F83C-60E2-EF08-00000000D301}6572pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com035.160.191.122;54.149.10.221;52.34.83.111;35.167.137.152;52.89.131.207;44.237.104.177;44.235.28.153;52.27.200.224;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000402940Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:47.556{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D74749BA5FBA43744D369684F87A5A,SHA256=6F18A1387BB44FAA4B50AEEE8844E88139F58A88A48ECB8E69FAE6D4ED53CC57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457933Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:47.961{D694AEB8-B3EA-60E2-1600-00000000D301}12961200C:\Windows\system32\svchost.exe{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457932Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:47.961{D694AEB8-B3EA-60E2-1600-00000000D301}12961384C:\Windows\system32\svchost.exe{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457931Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:47.876{D694AEB8-B3EA-60E2-1400-00000000D301}10401492C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457930Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:47.860{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457929Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:47.860{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457928Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:47.860{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457927Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:47.860{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457926Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:47.860{D694AEB8-D131-60E2-0904-00000000D301}17165668C:\Windows\system32\csrss.exe{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457925Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:47.860{D694AEB8-D134-60E2-1A04-00000000D301}46644680C:\Windows\Explorer.EXE{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+3d503|C:\Windows\System32\SHELL32.dll+3d3cb|C:\Windows\System32\SHELL32.dll+3cce7|C:\Windows\System32\SHELL32.dll+3c9ac|C:\Windows\System32\SHELL32.dll+122467|C:\Windows\System32\SHELL32.dll+1223c5 154100x80000000000000001457924Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:47.861{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXE"C:\Windows\regedit.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{D694AEB8-D133-60E2-3BFB-250000000000}0x25fb3b2HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001457923Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:47.345{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33D5693E4A6E3F7B0AD3F2D0DA897A5,SHA256=B0505FF79B5E60FFDB41C1DCA8F22B64FC85DFFF024FFA9EECFDC665C188C641,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402939Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:45.389{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54216-false10.0.1.12-8000- 23542300x8000000000000000402941Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:48.556{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A17721C930BB5C5CE3712EB25FE947,SHA256=5996B9044331B153718A221D81FFED0B65A68F14317BEA3CBC1B65705E2242A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457950Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.876{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D0811FA21B79B89A79660BEF80E141B,SHA256=B9B9F88BB89F7F384D8C2DB2F501E8E9D3CE252C9A6E8A24D9DCE6BE4137A50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457949Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.876{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56C6408EBFBC5FA15F513313CD6D9DD9,SHA256=EA4FF1ECE6EBB20927691E7A7ACF3027551382C90D41B92669AFECB1C183A0DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457948Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:45.867{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58315- 23542300x80000000000000001457947Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.345{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556F7645D9323E4EED5754AAE328D3C9,SHA256=8B9CF5AB5D004F257322854A91C646019E766EA4A83D9CAE23FAF284BEA38866,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457946Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.045{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457945Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.045{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457944Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.045{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457943Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.045{D694AEB8-D133-60E2-1404-00000000D301}42124344C:\Windows\system32\taskhostw.exe{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457942Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.045{D694AEB8-D133-60E2-1404-00000000D301}42124344C:\Windows\system32\taskhostw.exe{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457941Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.029{D694AEB8-D134-60E2-1A04-00000000D301}4664884C:\Windows\Explorer.EXE{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457940Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.029{D694AEB8-D134-60E2-1A04-00000000D301}4664884C:\Windows\Explorer.EXE{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457939Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.029{D694AEB8-D134-60E2-1A04-00000000D301}4664884C:\Windows\Explorer.EXE{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457938Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.029{D694AEB8-D134-60E2-1A04-00000000D301}4664884C:\Windows\Explorer.EXE{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457937Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.029{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457936Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.029{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457935Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.029{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457934Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:48.029{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-0F27-60E3-D20B-00000000D301}4992C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000402942Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:49.556{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CC35A9D3704551138A998F727DCEBE,SHA256=FE6739D5567B71A859137A3B9FB13576417A9638EA36E57DE9279F17FCF62958,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457952Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:47.590{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61276-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457951Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:49.360{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE7E1BF4028189A172253B4C4CC71FB,SHA256=F748F7D8995EDD6A17F584924993C13783181B019B2A11FA21DA536791F9A94E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402943Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:50.587{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2BFD47888FD49EA49C17298468E46F,SHA256=0930B30C47764ED96CEA0B5048399F2BC03251F437B590ABFF8D4DE62D2A639D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457953Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:50.374{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C756260524459409E548080018A6017F,SHA256=93516C736921018C25B2389D93F93CE249A0391D706671F55CB9820BA6129E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457954Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:51.388{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88A2E4320B8E7ADD8D2A29FEFADDEF1,SHA256=A79B88E5C5E86F8639721C76E2AF44C137403750F51BF0C9679773A3A8FBE47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402944Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:51.603{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2D74110058E90136F39503A886319B,SHA256=D9C54AB030FB2BEC8F2EA9D8720840CD63BD8E5DBE03F3E9D01F4C011C924286,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457957Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:52.971{D694AEB8-F83C-60E2-EF08-00000000D301}65724688C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457956Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:52.556{D694AEB8-F83C-60E2-EF08-00000000D301}65724688C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457955Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:52.420{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC6EBD252DDB92A3DD83BC8AF6C0CFA,SHA256=8C6C4D851A5B47ED02213C4E6C8A453563878315FC93F573D3B93216BC941171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402946Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:52.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000D5FD687541F3BF9457705F89E9AA9,SHA256=5C036C121A4C4441AFCECF3CF5133D099414A7EF7EE67CBDA671070B7878FC76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402945Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:51.373{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54217-false10.0.1.12-8000- 23542300x80000000000000001457958Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:53.439{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CE70BEBCD842103E8720039F1C685C,SHA256=C8C85F84FA8949B4521BE6D1C813DA0888F0383DF76316973106CA320DF5588B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402947Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:53.776{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B32CB4B4417C34EAEBAC3801F3E0F8,SHA256=069C3A48551056D38CBA9F05E6F20C7492194610CE3051B0AB0DEE9AABA02AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402948Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:54.789{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7B33B80B176AAB4436C9983B104780,SHA256=67D9C5F3538E27E9EAE82913B11FD47F2F2F671654DF355BDFD2D7E41A628273,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457960Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:52.600{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61277-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457959Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:54.518{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D81A11157F7C6609FB8766FEB9C4AE7,SHA256=64B5A145F6D6F651A22871D8077BE47783E6D551D790F2ED42327DFD2F6F11A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402949Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:55.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62E8D0204E6BF78A80DFB201EFCDDF9,SHA256=15237EBDA8BDC8CBC08DC5074BFEF7F6DA5C5B021837AFA4A31D6C1937F0FB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457961Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:55.553{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D146250605A374AF531B8061F804D2D,SHA256=BF6554A24950C0EE7F57A0EE7434935B0B2FF9845FFD20CEE612BC3D67FFD74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457962Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:56.583{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C688134B6929A72ADD33CB841028CC4B,SHA256=97B7D5001EEBEE9181BC30F02AD366A74F28E17FCC476618ED24F4BDB11D9000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402950Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:56.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A11A848190B86E41D67D361072A25A,SHA256=76A03356CD84C3635EA5D6E67F73A9B85E4C37B919B33DA67282E073BD5BEB95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457963Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:57.597{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18387BE65CAB08F845E07E400943C5E2,SHA256=B7AA46E03D2EBC119F7E3B7F555DC65927CD4B40981625ABE0A2F0C576D964F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402951Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:57.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A564B575FEC1AF32842E6196BD5FD09E,SHA256=A68AD41C11B568B582E3903B4EE9BC384C816DF20CD92ABA4293E484DCD93ACF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457972Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:58.899{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F32-60E3-D30B-00000000D301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457971Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:58.899{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457970Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:58.899{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457969Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:58.899{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457968Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:58.899{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457967Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:58.899{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0F32-60E3-D30B-00000000D301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457966Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:58.899{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F32-60E3-D30B-00000000D301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457965Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:58.900{D694AEB8-0F32-60E3-D30B-00000000D301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001457964Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:58.614{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6752A94B6545A0E43B052F709260EADE,SHA256=11D5A8BAA4095DE3B91A19F347170C3C85626EBBDDCDD95D8E3DF54BBD90A6E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402952Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:58.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F343DC24CDC9BD1811918777165CE0FE,SHA256=114BA4D35A5E8CA17C4E04283DF9E447E9A2A42D68415EFB8612DC07DCDBFDA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402954Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:59.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD5120945727AEEEBF6C4B5CE47908D,SHA256=9EF195C073BAF7C0B5EFB499373CB1A7083E377214F484714B6DABA4C09D779B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457984Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:59.918{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CB831BBAB56CAF8A864C3A30C6772B7,SHA256=99588BC050722A4258EE0A47094D141FD66025BE4D1B5A9711FDF42FA3838EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457983Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:59.917{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D0811FA21B79B89A79660BEF80E141B,SHA256=B9B9F88BB89F7F384D8C2DB2F501E8E9D3CE252C9A6E8A24D9DCE6BE4137A50D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457982Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:59.751{D694AEB8-0F33-60E3-D40B-00000000D301}61405264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001457981Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:59.635{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3648B86FB787A72F69B730CE76C1E98C,SHA256=4FA760AFA28F8B99FE9FD3EBC3D4ADB8F9FC64D01858FC0EA4103E25EDA9F3C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457980Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:59.582{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F33-60E3-D40B-00000000D301}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457979Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:59.582{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457978Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:59.582{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457977Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:59.582{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0F33-60E3-D40B-00000000D301}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457976Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:59.582{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457975Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:59.582{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457974Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:59.582{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F33-60E3-D40B-00000000D301}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457973Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:59.583{D694AEB8-0F33-60E3-D40B-00000000D301}6140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000402953Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:54:57.326{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54218-false10.0.1.12-8000- 23542300x8000000000000000402955Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:00.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A2F602C20056B111A058F388D44AAD7,SHA256=1F9AEA1E59769C2D13D462C26603FD25C4C3A2112EF549520E19B71E5B5E05BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457993Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:00.651{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEB7AECE8866ECD23FBB4432E8613E0,SHA256=D8C3AE09B77C9ABD4353CD8918C5E821C418D6C993107DE48B2C71A6B438664C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001457992Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:00.139{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F34-60E3-D50B-00000000D301}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457991Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:00.139{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457990Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:00.139{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457989Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:00.139{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457988Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:00.139{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457987Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:00.139{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0F34-60E3-D50B-00000000D301}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457986Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:00.139{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F34-60E3-D50B-00000000D301}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457985Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:00.140{D694AEB8-0F34-60E3-D50B-00000000D301}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402956Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:01.806{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95080D670E7AB7972B4397D0E4D5B8E0,SHA256=B3BE5B8F988946FD5CDC071018F0F42D349A5D1669A9F4890200E2F7D5B88720,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001457996Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:54:58.612{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001457995Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:01.666{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A74BBF6A993A8ADE5017E3945F4915,SHA256=4895E6334BCED346CB661F44DEE8F81C1024862678A59DAE3040ED612D0DB8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001457994Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:01.166{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CB831BBAB56CAF8A864C3A30C6772B7,SHA256=99588BC050722A4258EE0A47094D141FD66025BE4D1B5A9711FDF42FA3838EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402957Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:02.806{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AB291A8044FBCEC4CA9EED5050475B,SHA256=82BAB7C28578B1D7776B6D0EF1008710C1BB910E0BFAFA6E0E6380305B7B5B27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458006Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:02.716{D694AEB8-0F36-60E3-D60B-00000000D301}28524660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458005Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:02.680{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D9D9B60090F174549C773C9C94D112,SHA256=5F9491611571A32DA02224BAC22A8F4F13ABBF8561FD9944485C3F1C8C7CB07B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458004Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:02.533{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F36-60E3-D60B-00000000D301}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458003Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:02.533{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458002Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:02.533{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458001Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:02.533{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458000Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:02.533{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457999Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:02.533{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0F36-60E3-D60B-00000000D301}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001457998Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:02.533{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F36-60E3-D60B-00000000D301}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001457997Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:02.534{D694AEB8-0F36-60E3-D60B-00000000D301}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402958Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:03.806{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=629DB9C1851DCCFF2A7454F60A71CBF8,SHA256=AB3E757A670B33A37C9E1A66A2A77F8A493E5B2D7665B3969E4E5CF714DA75D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458026Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.981{D694AEB8-0F37-60E3-D80B-00000000D301}66045384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458025Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.781{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F37-60E3-D80B-00000000D301}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458024Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.781{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458023Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.781{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458022Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.781{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458021Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.781{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458020Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.781{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0F37-60E3-D80B-00000000D301}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458019Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.781{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F37-60E3-D80B-00000000D301}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458018Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.782{D694AEB8-0F37-60E3-D80B-00000000D301}6604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458017Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.681{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1F71276EFD7D3C9C2EB361299A8146,SHA256=86D76F5D19F41F9FFEF7C8655F6A24EDCEE6988BB1D890F8E1C0656E5029304C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458016Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.565{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7A5CA91306FF34FF5ED5E538D260AD3,SHA256=5F96E7589B04C4AE0CDB806187D2E6F5DB350FB27FE33715ACFAF99F7BA4D55C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458015Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.265{D694AEB8-0F37-60E3-D70B-00000000D301}60325672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458014Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.117{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F37-60E3-D70B-00000000D301}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458013Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.115{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458012Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.115{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458011Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.114{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458010Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.114{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458009Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.114{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0F37-60E3-D70B-00000000D301}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458008Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.114{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F37-60E3-D70B-00000000D301}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458007Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.113{D694AEB8-0F37-60E3-D70B-00000000D301}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458036Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:04.796{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CD50E3E56061E141A3B42D00F9BBCF0,SHA256=05E04EE8CC61DD1FDC8BF6678A3ADBF3E96312665DB4080E9BDDCAEB6220F917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458035Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:04.718{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DE118698759F001EB5D7665A3C3023,SHA256=F780A895E735E7CA01C2609E4F97473FC4166B88EA1A385E6110767BCB8A2B22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402960Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:04.806{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF6B2321ECA40A0F7541C5D17563AAB,SHA256=ADFD0ABA75C3F9B6C0BB053182300E5124B720BA131CE9376DDF2A524B17AA50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402959Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:03.327{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54219-false10.0.1.12-8000- 10341000x80000000000000001458034Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:04.449{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F38-60E3-D90B-00000000D301}672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458033Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:04.449{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458032Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:04.449{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458031Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:04.449{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458030Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:04.449{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458029Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:04.449{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0F38-60E3-D90B-00000000D301}672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458028Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:04.449{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F38-60E3-D90B-00000000D301}672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458027Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:04.450{D694AEB8-0F38-60E3-D90B-00000000D301}672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000402961Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:05.806{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B849C362F43546E665095173D86EC9,SHA256=CF963ED1EB8FB83F6A13393B76AD5D716ABBE617748363F642A5A3B54C3C6FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458037Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:05.732{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EEDEECEA557BF8D3A24401125EB8B76,SHA256=7EE142B24F07EA96FFA3955B5789171FCF936CCC8F21649345CC6FE888E06BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402962Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:06.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910C5DC67FA26957B416F196BCE0F858,SHA256=A03F5A6C3B490D74B92AA29CEEA4F73C047718677CC8BF7C0AF0500704A35E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458040Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:06.748{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E053904217B68E39DDF147571C7554,SHA256=E1E9A5D3C08B58C549F14C0D7521B1433234253A68B49369DD6165A3ED9A5AEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458039Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.595{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61279-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001458038Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:03.595{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61279-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001458042Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:07.762{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5FB558D3316508DDF06CE37A67F6AB5,SHA256=859B3DF764319AB2AF95C55848842F1CFE5301D0A15DB48E7B51B587E0E43853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402963Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:07.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04EC9F7E7B0CFB9990A2F4DFC2F4A3A4,SHA256=1E0ACECD9DBC1A3BD5DAB2D6AE56B35A3F345F57938C0EE84232D8CC387490B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458041Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:04.609{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61280-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458043Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:08.777{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8D6D1A4F6DB0D854D907CCA1BC557E,SHA256=907F31F0BF7F081537FA7904D0B4FAD79C7C690A2DE80FCD0FD80DA07EECBC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402964Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:08.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A2AD889BEF42CCDE1EACD13D95F297,SHA256=E62C24599AF21A3A7C124ADB0DF6028EAFAB0F41AB1736DFAA0487AC94E892A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458044Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:09.791{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19F616055561A3C5D7F1749DF3119EC,SHA256=05777436DDD38FDE75198378A5DE07BE67B013672851FFE5D7C98A5792A5906F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402965Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:09.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92E06560D3D341DD0D4D91F4395398D,SHA256=7FE13AB6D7D2EFD8EE581E5E89983D454E33DD49AA5728A2D7252A33426B519D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402966Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:10.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40222A9AA524B473204E101CAFDE4D3,SHA256=8DFC0763C201B0C39AC584ED8533DD5EEAEEB135D75D59BAD024242C1790EDF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458045Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:10.808{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E860768D95F705766FA6744B2B725B0A,SHA256=70E7E0F73C2C7CB497B3AF998D784F8F6A48744E99DB80AD9237E30E325C457B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458046Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:11.826{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE568BBD3AB81E673C7B931E11A7A893,SHA256=9DFA18B5B0DE5E73E42434CC465900FAC318F7CD0CE6206F092ADD16ECFEC9C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402968Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:09.374{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54220-false10.0.1.12-8000- 23542300x8000000000000000402967Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:11.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C664093CCA618D160B2CC42B22C2CD,SHA256=DEAF2A827F53042A78E972EE09228D31E01FD7D1D5BF961E37C4BB236E0B8E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458047Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:12.841{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256828A78E7886EB1FDE69DE6C237AC5,SHA256=028C4BF77C0D77A579854B14EC15C261DE3B42CDB94E799D336B91B5C791B7E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402969Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:12.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEFD8F12C33ACC6BE499333EA1FF772D,SHA256=2ECF096B8204F768AF6BDF18DD3A347A01BED92989D22F2D9023626A175AEDDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458049Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:13.855{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAA0AAA0F156E57F4CDD5CC1599EC86,SHA256=E0DDB0ABFA67683AF455C4D8B8B8894E7E7A7FB6A157BD31578ABB72DA1B9C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402970Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:13.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82D19F07178CFD7D56440CD56ABB70A,SHA256=122FA1292B16150A15AB884E1D57F6E010989620EE935748C1B8B53D2100FFAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458048Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:10.619{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61281-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000402971Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:14.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D596A1F0D299A9B2031C8785EA39BEDD,SHA256=B3C3CCDBE7AC4FFB4FDE5F17B775D5274090466D60205F02F9F854F10F5EA781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458050Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:14.869{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC603A8C42FFBE5D2107A5C4F7DFB7F4,SHA256=1045214917F89C512F6CBFB88CF66D0120E06363D92FB16757ECB347AC5416DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458051Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:15.883{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D8129FCD48D10E77E844E7A212E1FF,SHA256=BB15DD28070AF2189A18D68F66BE7E97D40D59CB4BCE403FB3AA0134915706C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402972Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:15.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988B7C1DA40AF9638836E8D619A91927,SHA256=9424C894D11259F6C03F3A211B4F273150E44933ED52E8DE7281AC89A886523C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402974Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:15.358{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54221-false10.0.1.12-8000- 23542300x8000000000000000402973Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:16.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A27616D524A3C847C58C1A358878350,SHA256=544FA606F945649408B20C704561AD3C7FFADCA890DDD8B7F490CB35167BA58B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458052Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:16.901{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7D6BD27F3C565445A9984498EAD212,SHA256=DEFF21A62FFAA68C784D0079E05CB832175912E55C7B14F2E390AF24A81B0F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402975Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:17.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7829D9363E1590314BF1FEAE2A3430,SHA256=DE2B52866E73A6619BEDF6DFBDD955A445C10F3644E16A3080F928CA70DDCE76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458054Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:17.918{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E059EB0E0E3FEC070EA9033CE541EC8D,SHA256=67A3AA0CAEBA668BEB746943D9FAEBF88CEDC55549992823C29F224F97CB8CBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458053Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:15.628{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458055Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:18.933{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D5F0B2F7F3407DBA180F4B21BEECC3,SHA256=411531CF17763B4F93E3900A74C270EBF212851CA0E247311A3DC200FA8C7906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402976Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:18.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58767E61FB439A278D0FAB595EDED8A1,SHA256=7C72AACAAE1A9C941AC492DF73340D9043BF2EE178F9354649576030F819A947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458056Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:19.964{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1EE1293855E0BE688749FE2C04F74AF,SHA256=D22722B15314C19799174F34EB084AF55EE323EBA80B45D9E03D5E81FF92DE15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402977Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:19.838{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDF45CCE2BD859B91325C58D5DFE3B6,SHA256=7EFF9088F1E69052CD2DDE53C67EBE170C0FB5C4B1C2CD13281187CA9A008CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458063Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:20.979{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E6C7B390F86D40D9A698E53032ED1A,SHA256=08AB4518535977332492629CF789EC2884CCCD6E4C135ED27CD80659A0BC858F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402978Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:20.837{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DFBD17721307D7AB5B8973A153A011,SHA256=BB93BAC01B23F0171D8E176EA28E086F6B778B9518334AD373BF33717F5301DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458062Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:20.080{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=2DC1F5D48A4905967562AFCDAB78283F,SHA256=7292B65470BC2F4317A357A3C5E1C788B0B46CF401DE038B7A4CC2EC3EAF3250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458061Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:20.080{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=FFA0E3AD4082FB0790682489BC2851AC,SHA256=FDB093D0090A81E0C876621A39E4C7783B85AE06D6899475786519D5F34936C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458060Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:20.080{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=8BD0DA31948D92C9F9BDE7600EB54529,SHA256=EE1F46CFB9687FF325A8AB11E3F3CBA591AD975BA3EDB793097F1CD560228191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458059Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:20.080{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=241E12032DA598067470AB2217E20EB0,SHA256=0FA23CD05C9D1E15070D473D235A13D0AD67118DC2022A6659BC2F1516183707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458058Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:20.080{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=692CD269C9D2834ED0E358EE31C10116,SHA256=EAE85C29205DACA3FA90908553B8285AB95B3F5B33378CB3C1CF616E39BA5BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458057Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:20.080{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=0D4C13E28420ACDE44776A8603E94A3A,SHA256=7A5F4ADF13FE98AAC5CDB64874AF7F6C4AA8ECEF50748DCF9AB91007000560CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402979Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:21.837{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CEFD848E1F9A2A9EFBF227ABE9AE743,SHA256=AD7B241F0D1BC258B23FDB0B57B551D2622282ADA1A74A0395AF2DD5D540490F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458064Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:21.995{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD621B6B6769A9A44C2001CAE8F2F039,SHA256=D31CF034B6584397FDCE3A49E358FBF3C55911DD7BDAF525BCF08D22A40DE281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402980Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:22.837{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB90263BF995D105D6A8EC8344E8D74A,SHA256=E8460B647D610CDCC01563B64B7A7EBDFA902D8C945F7BCCDD33C4D2CF97406B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402982Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:23.838{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A389707BDE714DBC06A21A07B48A6B9,SHA256=2D0A6FC5170DC3B53F50B2DDA6898965BDBCC87A172B0382B2BE5846E73972AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458066Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:21.575{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458065Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:23.014{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5C1B14FA1D006C5148071B6FB367E4,SHA256=6E636C6718FD4021A8E118A38547B5B59D77A7A8E5C5913DFF202C3A88508034,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402981Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:20.358{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54222-false10.0.1.12-8000- 23542300x8000000000000000402995Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:24.869{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA0643ECC2B1FEC25E3890C469BB275,SHA256=1758C1892FC87A4D1BA8B4FE2139061D47D34D652D4EDCEA634086245189B357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458067Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:24.044{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A458578805841D5F5D083C0E044F4C,SHA256=0E023BDFFFE71F4FE16AE2919F724D4ABAA7905039A27CD925C2D337ACE3ADC2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000402994Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:24.369{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000402993Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:24.369{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000402992Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:24.369{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000402991Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:24.369{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\LeaseTerminatesTimeDWORD (0x60e31d5c) 13241300x8000000000000000402990Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:24.369{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\T2DWORD (0x60e31b9a) 13241300x8000000000000000402989Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:24.369{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\T1DWORD (0x60e31654) 13241300x8000000000000000402988Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:24.369{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\LeaseObtainedTimeDWORD (0x60e30f4c) 13241300x8000000000000000402987Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:24.369{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\LeaseDWORD (0x00000e10) 13241300x8000000000000000402986Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:24.369{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\DhcpServer10.0.1.1 13241300x8000000000000000402985Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:24.369{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000402984Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:24.369{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\DhcpIPAddress10.0.1.15 13241300x8000000000000000402983Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:24.369{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000402997Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:25.900{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA0F246368E04FFF0634F646B8997E6,SHA256=B3B0561C274A865500BCD1D139C067DF136A54C50EDB865754FE14C75CBFBA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458068Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:25.058{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96428B6C228B7D67FFC09707EDE601A2,SHA256=B761CC4FAB7119014B38B01ABC004BDDFEBE28FB554FD4C0EB7A890E88FDC080,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000402996Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:25.822{7F1C7D0B-B3E4-60E2-1500-00000000D401}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a5-0x67f2c4c9) 23542300x8000000000000000403000Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:26.901{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F52A6829B0DAAB8313AD60373C871E,SHA256=C07739353BEEE482D91286DF6A759A161C15CEA1E760ED1624EDC5DDB270CDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402999Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:26.431{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3A28253AF4487A8D9B01A476ABF3510F,SHA256=AA350C29549F3CCBE28DB2836163E395820F04F990AC778CA7876662F41660F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000402998Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:24.593{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 10341000x80000000000000001458098Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.789{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458097Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.789{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458096Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.789{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458095Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.789{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458094Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458093Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458092Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458091Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458090Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458089Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458088Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458087Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458086Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458085Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458084Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458083Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458082Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458081Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458080Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458079Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.788{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458078Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.787{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458077Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.787{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458076Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.787{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458075Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.787{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458074Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.787{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458073Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.787{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458072Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.787{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458071Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.787{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458070Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.787{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458069Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:26.072{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196EC979B7A664D403CE5EC5205C9CFF,SHA256=DF6243330DB85E373D92C0CAE691B9A18FAFB770EB55745476BF5084BFF0F947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403013Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:27.901{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCC4183088BEF007F198CDA8F75CEB1,SHA256=0D4BB61E5FC20A6534CE4665D95293BF04FEDB45B05761959A4B1D31A621B3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458099Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:27.124{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7487F0FF880555693470534576628149,SHA256=B8D6F112024BDABC08C9B07F9F68F9BBD55DC69EF51F8B6555930B1604C74CD2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000403012Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:27.792{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000403011Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:27.792{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01652c76) 13241300x8000000000000000403010Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:27.792{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719d-0x073f135d) 13241300x8000000000000000403009Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:27.792{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a5-0x69037b5d) 13241300x8000000000000000403008Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:27.792{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ad-0xcac7e35d) 13241300x8000000000000000403007Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:27.792{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000403006Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:27.792{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01652c76) 13241300x8000000000000000403005Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:27.792{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719d-0x073f135d) 13241300x8000000000000000403004Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:27.792{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a5-0x69037b5d) 13241300x8000000000000000403003Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:55:27.792{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ad-0xcac7e35d) 354300x8000000000000000403002Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:24.606{7F1C7D0B-B3E4-60E2-1600-00000000D401}1300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9840:442:84cc:ffff-65448-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000403001Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:24.606{7F1C7D0B-B3E4-60E2-1600-00000000D401}1300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:9c76:6f2e:c294:e2b6win-host-884.eu-central-1.compute.internal65448-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x80000000000000001458100Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:28.138{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099EE1F61481D8B0B211FEEEB6B244D1,SHA256=D1218A70BDC97DFDE9AEC90DB6CD4A1E2837B48269E6E5119C1791AEBE2A04BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403014Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:26.343{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54223-false10.0.1.12-8000- 354300x80000000000000001458103Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:27.567{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001458102Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:29.668{D694AEB8-B3E8-60E2-0B00-00000000D301}6565444C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001458101Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:29.168{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B50B442B663C070AFF273DBCF360F21,SHA256=5AEE0848D285DBE91CDA7B5A720D6CE1C2A1864B2C7CB76E088E4DADB83F7973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403015Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:29.026{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2646270635176185016FAC8019DEE9AF,SHA256=2CADF9EFE17C0AE4557EBBE7BDD145F9418EF47B9EAC3925AD43FFE3BF3B7AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403016Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:30.104{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A87AA832E0EE36943441CFB70242DE,SHA256=57C91875F2AFBED680A888B07D7885D7859EC955B8C3B5F20A49A951051E7134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458106Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:30.686{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDBBAA51BF5F8FD0EE8EA9BE72EAC25B,SHA256=C91845D486C871762853F7A3CE7F73C8F38E7848B8662CAE56B9DE5948786421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458105Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:30.685{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C78DA739FDBF07D7F677E52FF5C49A03,SHA256=31B4FDE7036DA710067AF0A96DB560F8CAB47E27FBB4D752A91722DD80F8189C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458104Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:30.186{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FA501BE0044873F48F9E01BDFF8137,SHA256=B22FB20E4BB9551F923F56FFD30756444E1149DB0B11FF9C02FFB93EAD28F329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403018Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:31.698{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403017Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:31.104{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A61AAB37ABD8164B1C5F801B3864150,SHA256=A84C73329A6DBFE783BBFB22654C0D14D85492B18658E2DF2A023C425E2A988A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001458124Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:31.934{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001458123Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:31.934{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001458122Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:31.934{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001458121Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:31.934{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\LeaseTerminatesTimeDWORD (0x60e31d63) 13241300x80000000000000001458120Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:31.934{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\T2DWORD (0x60e31ba1) 13241300x80000000000000001458119Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:31.934{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\T1DWORD (0x60e3165b) 13241300x80000000000000001458118Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:31.934{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\LeaseObtainedTimeDWORD (0x60e30f53) 13241300x80000000000000001458117Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:31.934{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\LeaseDWORD (0x00000e10) 13241300x80000000000000001458116Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:31.934{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\DhcpServer10.0.1.1 13241300x80000000000000001458115Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:31.934{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001458114Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:31.934{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\DhcpIPAddress10.0.1.14 13241300x80000000000000001458113Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:31.934{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\DhcpInterfaceOptionsBinary Data 354300x80000000000000001458112Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:29.113{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61285-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001458111Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:29.113{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local61285-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 10341000x80000000000000001458110Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:31.466{D694AEB8-B3EA-60E2-1600-00000000D301}12963964C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458109Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:31.466{D694AEB8-B3EA-60E2-1600-00000000D301}12963964C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458108Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:31.203{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2712B1B2E1178423E8B8961F6E77C0,SHA256=E1DBC69C45FAD48B03E33F6245C997B689A1E9F7EE0D57D37C25FE30A2A82A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458107Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:31.086{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403020Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:31.344{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54224-false10.0.1.12-8000- 23542300x8000000000000000403019Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:32.182{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D987DB7245C40E2D64D669AA6E04C8,SHA256=6985154D20DB250A737B214A35067A04EBF51632598A96786CB6DB7C5A2F20B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458125Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:32.218{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C0A50F7A7946BAE01B0A59E50C4122,SHA256=0D730D37AEFD58DA4D85744DEBBBB8F81C5E99236EA53027C7B7713475DEE6BB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001458141Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:33.963{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001458140Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:33.963{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001458139Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:33.963{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001458138Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:33.963{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\FlagsDWORD (0x00000002) 13241300x80000000000000001458137Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:33.963{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\TtlDWORD (0x000004b0) 13241300x80000000000000001458136Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:33.963{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\SentPriUpdateToIpBinary Data 13241300x80000000000000001458135Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:33.963{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\SentUpdateToIpBinary Data 13241300x80000000000000001458134Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:33.963{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\DnsServersBinary Data 13241300x80000000000000001458133Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:33.963{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\HostAddrsBinary Data 13241300x80000000000000001458132Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:33.963{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\PrimaryDomainNameattackrange.local 13241300x80000000000000001458131Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:33.963{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\AdapterDomainName(Empty) 13241300x80000000000000001458130Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:33.963{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\Hostnamewin-dc-201 10341000x80000000000000001458129Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.963{D694AEB8-B3E8-60E2-0B00-00000000D301}6565444C:\Windows\system32\lsass.exe{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001458128Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:55:33.963{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000001458127Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.232{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484546D5BCFEB3993ECBCCCEBDB99C9A,SHA256=DF2AD2D1968B62FC3FA25571ABCDDE98AE7CF981D6BDE961D9A140A06FDD223E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403022Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:31.907{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54225-false10.0.1.12-8089- 23542300x8000000000000000403021Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:33.182{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1678F43C3CF7593C8DCE5DCCF9080257,SHA256=91927089B49FA3CB209036C63B6D436108C56857E4E615132D351701A2F3B3C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458126Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:30.511{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local61286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000403036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.573{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F56-60E3-410B-00000000D401}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.573{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0F56-60E3-410B-00000000D401}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.573{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F56-60E3-410B-00000000D401}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.574{7F1C7D0B-0F56-60E3-410B-00000000D401}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403023Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:34.182{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4EA16D8F555A2F102BD04391FA8BD3D,SHA256=023848281330454797ABE23F2844F1AB6DBD75858ADBB18F50AC482E9DBD3051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458145Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:34.983{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDBBAA51BF5F8FD0EE8EA9BE72EAC25B,SHA256=C91845D486C871762853F7A3CE7F73C8F38E7848B8662CAE56B9DE5948786421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458144Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:34.247{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71693016652428E02AB0E68C9EC1F6E7,SHA256=59C11D0ECF6EE3959CFF663224AF0CA1B580D3A32081FA7C9202EC6E82CE9A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458143Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:34.178{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F33FC486E3A992EFA8A9395878D5D306,SHA256=77168722F39E2B87558CD95DF1A17F5E9AAD3E3746B1D73EEEC17DE1F6918708,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458142Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:31.378{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-201.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x80000000000000001458148Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:35.261{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9944C8BBEB18FD6CF55FB133B58D177,SHA256=C4FFE32DBF57ADD498E9BC3B8FE5B626F670DA2E24088C79FD18E9592A35BF66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403065Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.917{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F57-60E3-430B-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403064Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.917{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403063Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.917{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.917{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.917{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.917{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.917{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.917{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.917{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.917{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.917{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0F57-60E3-430B-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.917{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F57-60E3-430B-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.918{7F1C7D0B-0F57-60E3-430B-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.807{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72A5C8D3016D648F3B34577254FEE0FE,SHA256=1A4928D774E611B850F7F26689AC7ACE0D5C5B8949F7FA5634FC4037E61E2BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.807{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=206CC5451512448505355FD5197C0F8B,SHA256=D98D70F33A40CE880642665AD47466DF6787C9487919133FD3BD16AF46931DB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.245{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F57-60E3-420B-00000000D401}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.245{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0F57-60E3-420B-00000000D401}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.245{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F57-60E3-420B-00000000D401}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.246{7F1C7D0B-0F57-60E3-420B-00000000D401}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.198{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377190354ADDB3B5A661946D58B711EC,SHA256=9DCE45CB45D342E68A905274A58F316E36760C66E7A34FD691075B659E1204E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458147Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:31.384{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:f870:1178:1b1:ffff-54046-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001458146Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:31.383{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54046-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000001458164Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.560{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458163Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:36.282{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B0361891BD8E98A267F360889C9F0C,SHA256=EA5DE671CFFF70A930071EE521B7D6F6276DBABB3353106DE4F9551856C2EAB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403068Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:35.022{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-61009-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000403067Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:36.245{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90B945ED2C3BFAA319D1B48B8591E85,SHA256=77E2427C2CEBC57A127AE9EE7121A2DAF4C57ECC86E8993C6F128F5364B40A1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458162Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.422{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local56185-false10.0.1.14win-dc-201.attackrange.local53domain 354300x80000000000000001458161Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.422{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:f870:1178:1b1:ffff-56185-truea00:10e:0:0:0:0:0:0win-dc-201.attackrange.local53domain 354300x80000000000000001458160Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.421{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49438- 354300x80000000000000001458159Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.421{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56185-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domain 354300x80000000000000001458158Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.421{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60956- 354300x80000000000000001458157Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.415{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63245-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001458156Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.415{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63245-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001458155Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.414{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local58329- 354300x80000000000000001458154Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.412{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local63244-false10.0.1.14win-dc-201.attackrange.local53domain 354300x80000000000000001458153Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.412{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-201.attackrange.local63244-false10.0.1.14win-dc-201.attackrange.local53domain 354300x80000000000000001458152Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.411{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local54046- 354300x80000000000000001458151Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.411{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-201.attackrange.local54046-false10.0.1.14win-dc-201.attackrange.local53domain 354300x80000000000000001458150Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.410{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62538- 354300x80000000000000001458149Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:33.410{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62538-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domain 10341000x8000000000000000403066Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:36.073{7F1C7D0B-0F57-60E3-430B-00000000D401}34801860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458165Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:37.297{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8ABEFAC9441241A8F07BA6FE6CDEB0F,SHA256=8B51209D9175B8901BA87EC65A4565F356FAD5C8E3CDC28080E522F136277FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403070Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:37.370{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A43CBC3A17706EAA527E22622611F2,SHA256=56EB48724B3AF218A01358B92C584E945C8974F627AEC8061278BD9B2D026B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403069Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:37.151{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72A5C8D3016D648F3B34577254FEE0FE,SHA256=1A4928D774E611B850F7F26689AC7ACE0D5C5B8949F7FA5634FC4037E61E2BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403071Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:38.386{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE8F4772A59AA45D1176AB3D79C1ED1,SHA256=9BF66B5736ED2EC578DBD369F12A093E0FCC93ACD26C0B778B87CBD4B66C2102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458166Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:38.311{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72039116808E4272560CBC7292095EE0,SHA256=CB9689C52D98D435F9E26563C096CF34D95D1C968A4C4B4501B447E89A28D7BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.901{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F5B-60E3-450B-00000000D401}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.901{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.901{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.901{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.901{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.901{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.901{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.901{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.901{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.901{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.901{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0F5B-60E3-450B-00000000D401}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.901{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F5B-60E3-450B-00000000D401}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.902{7F1C7D0B-0F5B-60E3-450B-00000000D401}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.432{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA43FC57B824188F0175463C0CD32EB,SHA256=0F438AC7300EF5A6F309179487848DC7A31864F0692BB57B9E1F3247E662FCB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458167Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:39.326{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43143A4DD6D3AC20B71AAE31A1FC2D90,SHA256=A4313E671CE57FD715051615A36C33B4E8EF8BC687D1C2021FBCC1167E9977F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.386{7F1C7D0B-0F5B-60E3-440B-00000000D401}40801724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000403085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:37.344{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54226-false10.0.1.12-8000- 10341000x8000000000000000403084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.229{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F5B-60E3-440B-00000000D401}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.229{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.229{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.229{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.229{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.229{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.229{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.229{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.229{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.229{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.229{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0F5B-60E3-440B-00000000D401}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.229{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F5B-60E3-440B-00000000D401}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403072Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:39.230{7F1C7D0B-0F5B-60E3-440B-00000000D401}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000403117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.730{7F1C7D0B-0F5C-60E3-460B-00000000D401}34841232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.573{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F5C-60E3-460B-00000000D401}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403114Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403113Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403112Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403111Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403110Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403109Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403108Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403107Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.573{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0F5C-60E3-460B-00000000D401}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403106Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403105Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.573{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F5C-60E3-460B-00000000D401}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.574{7F1C7D0B-0F5C-60E3-460B-00000000D401}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.479{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04DD0C0119BC995C6C86F0E62B80000,SHA256=B828F6919DD5D27A029A0193F7F39AD550C4A7054905CF2487B9BF5153AF70DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458168Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:40.341{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667ADF3EEC5A3ADB564902B575F2B224,SHA256=EEF9FBDA9E5781456EF7775B3211C5504D7919B3CF57356057237F9181221D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.292{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A0DB77F86997871BCD51F8937AF6B00,SHA256=9320C4EB8D38865C340F637FA49779014D83547FEF7F745A29C78DF5067166B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:40.089{7F1C7D0B-0F5B-60E3-450B-00000000D401}22922272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000403132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.932{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6B616A6D39622422E8A1A3FAEA5637,SHA256=ADC165AA2A662560578D1A8A0803589E728528D6F5F08A5F6CC4677B12F4E300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458171Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:41.440{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7B5912B75512518BFF7AFCA1CB50B0A,SHA256=47A2402B6510213EED82F54B90F773BE557FDF333339C85950B39016EBB78D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458170Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:41.440{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82DECB984A7583E950597FC056B77A8A,SHA256=1088E38BF8A771F616AAB984935453ABBBFCD757612E8BEA4A63892B45198BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458169Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:41.373{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8F6D1C556FE7A834F6AA648F20EF6F,SHA256=C0866CB089DBCBCC4FFE4DA213763DF4A04339D7A01FDC0FEB0A7BDDE91939B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.667{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A52A2B5D29883E746A4CAB0BBD93F2E,SHA256=B93752B52A287EA78690B3EA2283A4473A58FC899A69FC213B6837C4A7B990D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.245{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F5D-60E3-470B-00000000D401}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.245{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.245{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0F5D-60E3-470B-00000000D401}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.245{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F5D-60E3-470B-00000000D401}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:41.246{7F1C7D0B-0F5D-60E3-470B-00000000D401}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:42.932{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0CEC0722961695D1AD59137C1CC24B6,SHA256=18FEAC5607DED05A7BDF9DDFFAE27FDB7D6A353A2CE8467BE15C550681D57794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458173Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:42.408{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB392917C74D43D319148D181C511B4E,SHA256=8BC5CAE9E9BC0E0DD8FCF09B28015D5F112DDC74D2BAB0F0EE928651FD1C94FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458172Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:39.601{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000403134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:43.932{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F431CE4B678A998D6C7AED16BB391588,SHA256=758604A8129119299D63CD218F54777CE1E941C21FFA125BD8F1319F9DC84E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458174Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:43.439{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185A4C61DAD3560B9951D5B672E73AC7,SHA256=2F648771F844EFE7E28EDB8D273EAE686444432D40C90169DF8A483D602BF34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:44.964{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FCE31A55B4B539C061B22908466112,SHA256=EAFE27715AE399B231E4B0C8567FF1F5E0350710C055BC7E389ECC1747BBAB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458175Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:44.453{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49420CB9F8753A23A409BE2CDFCB1896,SHA256=5316E7F1D1AC6D88671548B570422150935951D7A2EDD7C8772FBD3A79FB6E63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:43.360{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54227-false10.0.1.12-8000- 23542300x8000000000000000403137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:45.964{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F79BE388F59AC8779FDEE27BBBFCB4,SHA256=B3139976C80E2D35D74DABFC16C6266E2DE1FD577BCC9EF66994C3374B53C78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458182Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:45.471{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5520B05D0AB0B7739A23D1046AA3918E,SHA256=5B9120F8CDCA09EA7D8EB05E79E75034E0D92F4B03226D939762821D5954AC54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458181Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:45.137{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=7D627D56D570AA01C7E79D1E4AD864BF,SHA256=3058968D7E194A2BBB82A1211B5A3C55715E439D73AE5C204CD09A4B83B213CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458180Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:45.137{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=2A30154DF8FCFB08EE729A31B0368722,SHA256=9996912F08404360C21761A8A20A7E066BCF41DEDD45995AFC25288091CBED1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458179Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:45.137{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=1F89DA4EBEB69A96F435DB67D4F66C65,SHA256=CB1CF068C8D237ECA0BE507AB9B7AF166F08B62A2DBFDBD1B718B724CB5F857F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458178Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:45.137{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=D10D26BFAE9116FE19D2E32460339C02,SHA256=A5D28E0F7F1BBAB12F6593B3D789B8E13C929711E5D551FBBD1966DE23CD149C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458177Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:45.137{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=3988CB24F5769EF55809C1705AB531EB,SHA256=D991E311801B9381DBEF306FF5814EF15A603CEAEB09A1F661F63AE9690CE45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458176Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:45.137{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=E975FC9C81E4B0852047D8FA088E5DDF,SHA256=84DF643CC0245BA6336C3EB51B756F7739525B13502ACB7C3FE56116B8C49D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:46.964{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B65FC4A580F358540F014C35B202C2,SHA256=ADD024890DA473A22DAF3996029F4E0C5567918B6976A892351CD7DFB405AEBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458183Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:46.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1AF5530EACFF1198DD19D8B3EC532F,SHA256=5C4A719BA7F98A1DA395E0C0BF71B534D5443DE7B157BD476B2AB4989FE501F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458187Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:47.887{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458186Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:47.887{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458185Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:47.887{D694AEB8-B3E8-60E2-0B00-00000000D301}6566904C:\Windows\system32\lsass.exe{D694AEB8-B3E8-60E2-0A00-00000000D301}648C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458184Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:47.503{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE67E881B8D00B883522AB282D6E484,SHA256=5A665CA4305E096CDB747C3EA3FFBD731729BA7D21CB87C74F9460C96C67FBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458191Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:48.933{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=57CD3BDA70995AE978F17843B6B5F9E2,SHA256=91891F8FE55508ECE9B088A02CAA5884AADA0DEB838D23595A9774BDC047F8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458190Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:48.933{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2E7568F4C8174FC9F3B2A80C1E2E3914,SHA256=9E95FC3FD2394477BD8B86F50D1D157D13144053952DC643743FC03CD7CDB13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458189Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:48.517{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786CF66E0C1B302C1F584B2CDDEAE24B,SHA256=938D8BD82185AAEFB5AFA2634D89227E0F9F6EBD4BED5E24295F11D76ED9157E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:48.104{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7DAE884FB33F67FE44B48EC9A4CF0E,SHA256=19011D82C56E07E6E95ACF753992A7E801D093FAD136BB063395C4BD3A4ADD43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458188Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:45.615{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63248-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458199Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:49.532{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C32F0EB14387EE623FB1A49867A9C3,SHA256=62A1AB041687EB33D9ED4C3A5C6C9EE1D0A0A9195845B839121E7973FD33435C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:49.104{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524571CE9DA78D4CD4BA53C7BF1F39B9,SHA256=4C95F0D36B3FDF9C13A38EA8E97446985BBBE20AB00E5AEDD85D4028692D9C4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458198Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:47.342{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61360- 354300x80000000000000001458197Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:47.341{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-201.attackrange.local54504-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001458196Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:47.340{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61505- 10341000x80000000000000001458195Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:49.217{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a|C:\Program Files\Mozilla Firefox\xul.dll+2d8720f 10341000x80000000000000001458194Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:49.217{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 10341000x80000000000000001458193Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:49.101{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a 10341000x80000000000000001458192Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:49.101{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 23542300x80000000000000001458201Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:50.599{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDFAD8C9ACCF3686EE2BC487E602835,SHA256=1BBB5D8244263323E7DD691F611CE3E54D3D93A0724292096A933364D7F7D306,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:49.376{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54228-false10.0.1.12-8000- 23542300x8000000000000000403141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:50.260{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D337743C920B2F98AEE5AFCB9891CAAB,SHA256=3FB6D0318F53954C2624C56000A7C250A5753AE8FAD563133B1EECBC96185312,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458200Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:47.346{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-201.attackrange.local63249-false8.248.149.254-80http 23542300x80000000000000001458202Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:51.614{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00914A4A11868E0648225F6027BB20A2,SHA256=2C0B2853E68E5F74CE27C45CEC69E48C69CD515DD186A6E8A0CA03BD24CB9050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:51.260{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC40971B94E30C9AEA1CC50F260E12EF,SHA256=951D247F2DF97D9CDDABD60C5B5C3E0B210B1D0386371587C8677C44E2C5980C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458206Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:52.628{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C329570DAFD7246444F1791EEED9DE,SHA256=2B3F73CC6BC22269C464CAB57181428D54B26CADF269E13DDEE12805488A93DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:52.276{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641B9E8E5239B2D129DBBD94F3863A88,SHA256=31C674B813CB9436DC1516A96E3862F6D8F23330ED42C2D398DABAC4D769C8BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458205Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:49.775{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50057- 354300x80000000000000001458204Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:49.775{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:866f:1b1:ffff-50057-true7f00:1:0:0:0:0:0:0-53domain 354300x80000000000000001458203Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:49.744{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local50057- 23542300x80000000000000001458210Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:53.996{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=D615AEAB82F6FAFBAAB7A30BC11D0918,SHA256=117B7E9F113CBA3C9190A5AE9E4C96990B8D27A66225392984586D86071E4821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458209Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:53.996{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=E7990A5ECD085A05837F5093BC3D56F5,SHA256=9B40FED7052308FD0430E9103A6B11F4FE94049C8A21B97C26741F677911EC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458208Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:53.643{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AC0DC6B33CC4DD3E7F80BF87C1E70B,SHA256=D8249C696B2717FD0F4A1F879B56F25ED7DA853A34233373183A496BE9EA8C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:53.276{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339DDCB7A538E17909FC07DA80A4DAA2,SHA256=AABB19B5CA26BF21F215E14AD0A874A9D5CC8E462FAB13DEFE79B677E3F6CE14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458207Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:49.836{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-50057-false127.0.0.1-53domain 23542300x80000000000000001458216Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:54.662{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B927DCF480189775FACFDCDA6A509AC,SHA256=CDEAD2F239CDA2553CDADE8D06E7B16ED22883CB500CF539FF64C6EB95DDFF16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:54.276{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6B0EE80AF9EF62290E5FC315501A85,SHA256=6C3E39DEC8A40BA119655EC1FA9134634D28EC6C16D41C2919E975F454724C77,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458215Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:51.605{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458214Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:53.996{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=2133F91838457B35586D411971AE7CF9,SHA256=5CA42A5F8D70712328A531F50D07A7274C3C16728FBC7322202049CAAD92DC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458213Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:53.996{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=2261DF1DAA6BDEFAB7767B0ABE674BCB,SHA256=7C77AC6CBF8737A1F6474F3E8BE802D00F1ECB2E6255E6248F7F4C9899BEF0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458212Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:53.996{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=8CDC41E6AE2B180A52D20DBF0FD50446,SHA256=3835944C3D2795940785672E6AC5B55749A194BC8DB29EC774366209AECDF866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458211Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:53.996{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=786BD43DBFC7149FC543AB5BFE2A7070,SHA256=B5D6344F6FCBB519CE4D197F4E20465569974549DE8D61E4D0ECBBDC99A25A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458217Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:55.693{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE9CF823D6E0C9D9CB3503006A3FB2D,SHA256=64926EDBD431CC9181392AE61CF5BD1A83DA2DB57D08D53627C8667DD28ED9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:55.276{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5699B173848E815B138C1EA6F9F9525F,SHA256=967A7173EBF642D895B5E8C0ABE5D3A259CC5E7D20DD94ACD574E7A130EB13B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458218Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:56.724{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDB84C6742A38C93060D2FFEEBB82EA,SHA256=B0A6A60A61564C8932B5481758997660FEB7665458F52F515EBEAA6D5D47BCE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:56.294{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4C3ADB88A50CD2F0ED812AB4AF51A6,SHA256=8B3A9030C82A010446ED352068BFCB414D37E1AAE12AA5C9CC79C2D5332CC9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458219Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:57.756{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A688E4C6CE2A9A18CBBAA479EB8DB0,SHA256=7AAB4CA5D984409A00CBCB43268D97870E8D95F1A5BCF9082F24D6C77A34C50C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:57.327{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E69D15DFD4FCC6CBA9DAF9EA4C221A7,SHA256=642E543EE428A36EB3C640542FD9A565AE9F7BE3FA70FC7A594288D83B20B285,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:55.422{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54229-false10.0.1.12-8000- 10341000x80000000000000001458229Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:58.890{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F6E-60E3-DA0B-00000000D301}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458228Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:58.890{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458227Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:58.890{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458226Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:58.890{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458225Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:58.890{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458224Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:58.890{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0F6E-60E3-DA0B-00000000D301}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458223Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:58.890{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F6E-60E3-DA0B-00000000D301}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458222Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:58.891{D694AEB8-0F6E-60E3-DA0B-00000000D301}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458221Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:58.774{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE068CC74B656B9126A85F3CDFB6101B,SHA256=78AB5034F2FF370FF2A0B72150D91953FFE0ED8624BBEA5A1901AAC76341C4CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:58.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B79E8850C0405BBD7176A1D0D80A181,SHA256=EBA30A4A893FCCBB158C2D5D52A1B49737D40A48391D3FC880A014F0F818E370,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458220Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:56.621{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458241Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:59.890{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12BB4782C8FD4DCE2F11D4FB4526CCBB,SHA256=C005628FA21C62B1ED18CFFDE3AE7ABB12A810BE84FFFFBF3B6A5595BF515F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458240Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:59.890{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7B5912B75512518BFF7AFCA1CB50B0A,SHA256=47A2402B6510213EED82F54B90F773BE557FDF333339C85950B39016EBB78D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458239Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:59.789{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473FD0F1E26817B796D0B8F355979EDA,SHA256=99B0BF928BE8F82EF3EA1303B6C0A9C3182466F3B67D84639840CEE5D98808C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:55:59.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AC3F51375A1FA7D9EE4EA680CEC1F1,SHA256=8A8D9C0963F2BB1C01EF03B895F819CBE38F4F5014E7EA3233B8CF0480EF21DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458238Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:59.574{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F6F-60E3-DB0B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458237Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:59.574{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458236Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:59.574{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458235Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:59.574{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458234Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:59.574{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458233Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:59.574{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0F6F-60E3-DB0B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458232Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:59.574{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F6F-60E3-DB0B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458231Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:59.574{D694AEB8-0F6F-60E3-DB0B-00000000D301}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001458230Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:55:59.037{D694AEB8-0F6E-60E3-DA0B-00000000D301}32245988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000403153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:00.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A853E76B7E5B376BC219BCBDA0D0178,SHA256=0117E88BDAE5095057622422A8B45C7CFB4293358F97DE985FB8A7EEAED2B11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458250Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:00.790{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6B026320DD6B503D4F10A03935C38F,SHA256=272539373472FCE51EB7EF5A5577411928FDBF7CEF99FFBA3ADE780A06152549,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458249Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:00.236{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F70-60E3-DC0B-00000000D301}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458248Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:00.236{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458247Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:00.236{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458246Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:00.236{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458245Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:00.236{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458244Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:00.236{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0F70-60E3-DC0B-00000000D301}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458243Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:00.236{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F70-60E3-DC0B-00000000D301}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458242Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:00.237{D694AEB8-0F70-60E3-DC0B-00000000D301}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:01.655{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8B5B9C790059B4A4A38C63B81493FC,SHA256=3A4B3CB2AD157F2E7D53947B82D257D90D8A32C3BCB672D4563AF55ED9FBAD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458252Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:01.805{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D52A6CB0DB938921E3E856595B73C4B,SHA256=035C2A8BC2FE03B44247D93587F89910D49590E7BA8785EA3D666CF7360C3CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458251Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:01.254{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12BB4782C8FD4DCE2F11D4FB4526CCBB,SHA256=C005628FA21C62B1ED18CFFDE3AE7ABB12A810BE84FFFFBF3B6A5595BF515F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458262Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:02.836{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E41FA88F6FAD63B47FFEFE170C3B249E,SHA256=08F94C095F29B6828F97D841062179109282990ABF7FE5162F598C3E7AA7B862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:02.686{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1470FC8299BF6DD3C4E09E12F99B56,SHA256=3DEA1138AA89C90A5EEAFB41FE4E7707E47E69BD1FAFD3DB756D4B26B6885C1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:00.426{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54230-false10.0.1.12-8000- 10341000x80000000000000001458261Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:02.704{D694AEB8-0F72-60E3-DD0B-00000000D301}34446920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458260Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:02.556{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F72-60E3-DD0B-00000000D301}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458259Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:02.554{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458258Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:02.554{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458257Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:02.554{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458256Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:02.554{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458255Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:02.554{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0F72-60E3-DD0B-00000000D301}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458254Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:02.553{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F72-60E3-DD0B-00000000D301}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458253Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:02.552{D694AEB8-0F72-60E3-DD0B-00000000D301}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458281Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.837{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBCF457EF93716EEC13E0512A925C02E,SHA256=C85F4F14B70A949C489230AEE83C98A50EE56D3D0661F30E57FA311AF2590CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:03.702{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A38A093F77BC51B35DF7045681925354,SHA256=10C67688E01384D8F06870E373842DE4ABEA15D21A1F095222FCA0507D03F3F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458280Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.690{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F73-60E3-DF0B-00000000D301}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458279Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.690{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458278Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.690{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458277Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.690{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458276Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.690{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458275Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.690{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0F73-60E3-DF0B-00000000D301}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458274Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.690{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F73-60E3-DF0B-00000000D301}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458273Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.690{D694AEB8-0F73-60E3-DF0B-00000000D301}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458272Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.555{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF7B1835B2780C73504EE5D1C0C3A0AE,SHA256=D9AD99A4C9FBA032DFF9995401A9F3134E8DD379D0D98C62662BE4A32058AC03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458271Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.258{D694AEB8-0F73-60E3-DE0B-00000000D301}53884856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458270Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.089{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F73-60E3-DE0B-00000000D301}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458269Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.089{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458268Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.089{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458267Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.089{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458266Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.089{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458265Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.089{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0F73-60E3-DE0B-00000000D301}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458264Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.089{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F73-60E3-DE0B-00000000D301}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458263Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.090{D694AEB8-0F73-60E3-DE0B-00000000D301}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:04.904{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C0F3AA4FD313CDFA30512CD604CE6F,SHA256=DDD5F01A056598869E1CBFDFF940B4B0CA1D25DF617391149A0ADC841AC3F66C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:02.649{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000403161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:04.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F5608D6F04A0FD535ED2F30BEEC641,SHA256=05133CFA3B674AF24F82503C59DD1520AA6022B2FAA693987E098CDC9180349A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:04.704{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4257FEBEE2FC1F98DBC4C3E8D5D44BE,SHA256=454AF3039E4AF42C38DF7CE2F571614C25348A806CEFC62070BC1AABB7080536,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:04.520{D694AEB8-0F74-60E3-E00B-00000000D301}62566624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:04.373{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0F74-60E3-E00B-00000000D301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:04.373{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:04.373{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:04.373{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:04.373{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:04.373{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0F74-60E3-E00B-00000000D301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:04.373{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0F74-60E3-E00B-00000000D301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:04.374{D694AEB8-0F74-60E3-E00B-00000000D301}6256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:04.655{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4166534D0FF5C5FB28742FCF3BAE3306,SHA256=81644E19140D86EA27A729A15682801261F311E7A0B4E804B2CAB667631D7FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:04.655{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=225D1777785AA84B9EC385130C742C28,SHA256=E646B851BCCA61C4033D08BB6D4E4E833C714E8731FC704BC6B65D346FD6FB5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:03.318{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-57324-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x80000000000000001458296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.619{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63253-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001458295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:03.619{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63253-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001458294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:05.919{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63296AD6BEA6E78AFBF3A72AD457D264,SHA256=85F9FBE43C85A9FF0C85885D5DEA9272CEBA78D088B3751D4959903E4D5ED02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:05.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20FCF634137FA594394E7B7424DD088,SHA256=514E89299CC4F947D80C1BC984ADD2ED6EFDD4130F8BE79C54B73D3993EDDA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:06.951{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486CF84B56F3077EB510BAD0ACE54228,SHA256=C829B9EE7EE7983D90959AD8E3F6907E0D9C7CCBCEE6CFC7470EEF297EAFC638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:06.780{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7253B83E7C4AAAAEA498DE599BE39197,SHA256=A20F88B7496A5B14995B2C95933ACB4903CFA48CE3606316C5CA239262A84C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:07.969{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20710385123C5683EE077C7575B124CF,SHA256=D3E6B4E6D206AEFF85CFED3CDA4BD32FD7DE4DCA4CCE93C2126074B9C29C8289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:07.780{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8313169FE134B69F21B8FB2818051D7F,SHA256=4EDA42A7359F36360FDBC0F998C71C1450880F0DC64542031B0990DC16240741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:08.983{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911DD46C586AC3ED05F357087B9FC1AF,SHA256=C66F09B949B5626FA255ED377063079EC3901C5D8FE099069C691720B49D8F08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:06.410{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54231-false10.0.1.12-8000- 23542300x8000000000000000403165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:08.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E0AC2BA461B0A8A0B9D598D93CCB90,SHA256=B65FAAE37E7DDDBB8E5D25DAF9E74B795616F870A1A32FB0D991CF8A0BACE65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:09.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE9F2F2CBB251E75573A3ED04C3E9E92,SHA256=D818D02E32470629FA669D24BB2C8FDC428ED5CF0E9382557ECC1AE0BDD4C2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:10.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C80BB135220612D8961E60ECD47A819,SHA256=5C1BA25787E78CC5DDFDF4686BC4B76B2F97C0103F49FC8AC6A85FA4F6E0876E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:10.013{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886B616A6532189F2D94A5D82C72956D,SHA256=81B96E3761EFE286BE94C6E7F85C460B643E37723C3E8AE592F7C2635D8FC50F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:11.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BC281068600A2B2C977CDF779D42A9,SHA256=E5489258802463840910AD013BD4EBA7AFEE034BE7C1609D9614D195813313E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:08.690{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:11.046{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899DB50A19559719B6FE429819F16759,SHA256=B5D53FB1CBC79CADE31158623AD9796E65D5ED82D033FEE5BEC71D1C5FECB6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:12.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2376958C445814C88288DC893DFA35F,SHA256=DD71A76481D3C217A15BA438B4693848C568FBF833C68EB6B749A1F0E9E0858B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:12.083{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53E2BF4AFE5170068879C320FD9F6B6,SHA256=3BF93B1BA23455188CBB97D4FCAEE83E2A921AC79BE079BAC9E74DE70E56F094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:13.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81B43909128B315BC53D6B8DD53A16A,SHA256=E8F791976F822029A5E44FEAE878A0F6043FC6D3B75F353EF94DF7076238E392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:13.113{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C9BA1A2D0778CC277C52A9AF6CCCC9,SHA256=ACD826E18F06998B50938CE27EDCE74CA49328543C73CD8FE1643011D6BB9A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:14.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F661F2053ACBA7627001DF74B3116FF4,SHA256=F696BD4EEFF51E5FCDBFD94D23DD6179238192C375E69EF7305AE7F508E763A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:14.147{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC95905C22A4EDCE335A0DAB986C788,SHA256=827F896E15E49142FC7E8501CAFE370DA5B9F0704BD088DEEA0338C68C144AFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:12.458{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54232-false10.0.1.12-8000- 23542300x8000000000000000403174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:15.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2951833DF8FA160D25CD38165DA2FD,SHA256=9AE6F0CB1D53D1F788134D1FA0CEBDA2A630B8ED44CE6B6CB6E1D3EF6F4C5E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:15.165{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C556FE47A9C7E4C2F66924B031BFB407,SHA256=CFA9B3BE191BF574FE1D8756002EC3638085F6EBE93BFDDBB2E9A372EB6D8975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:16.889{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D3E4A125F8FB642FF14F1DDFB9010B,SHA256=168DA9027E42CEA000A9853E2C761274424724746C21C7D6C78DE2F3092096D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:16.179{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA09A3A4D50AD77C7690EF664047165,SHA256=AE11DA713724EFE03A718A396EDAEA9911538B3616328828D2CADE52D6525C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:17.889{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40365B0921A3C9C24BD66CEF4E1CE064,SHA256=B9F8C321F41969090CF9842480DC2377DD8A74C96E382C34D4BA6E7723FE06F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:14.472{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:17.209{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D13C15E172020B697EE08C6EBEAC18,SHA256=CA577B26B83A7C720EE808D7369285482213F7939E4BD658BBEAEE9C23FAE283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:18.889{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6BB7A98502B3AD379D837C44ED516A,SHA256=99812916B77E1608C96EA62B959286EDAED8E05B590B40C1F786EDB7CB6F9036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:18.224{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0667AB7B696155B807E6A3CD534CA6,SHA256=49E0D19F1BF2188157567BEC74949E683B812433ED3C12C4765B1B5F6AE4C9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403178Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:19.889{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3EFCC9676BE9EDA0CF4FBC533ED240F,SHA256=96A924405CFA41CBCAA12A32454ED296A0BE703878826042685238A0D5D5B2A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:19.260{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B733A4C10FC055B39A06182723F275,SHA256=05366B423281AC6494B4CA964AE487E00C365401DEF2B8D4D66A8835190E26C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403180Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:20.889{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB817A34A8DF0BD0576597DB7651D572,SHA256=FDAEFD44EA705FA9E12D804BE3BE42A9EBA017BFBA8268542B3561D183165ACE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:18.307{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63256-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001458313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:18.307{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63256-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 23542300x80000000000000001458312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:20.274{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9441A2A92C49CCD612ACF274BFEA6D0,SHA256=D9A764A35B234C880F127BB656D02D7C4F02D618E280F7F6BFE750B2C8E1BC2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403179Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:18.489{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54233-false10.0.1.12-8000- 23542300x8000000000000000403181Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:21.889{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B601E7AE274A6EAB860F2BD37AAC878F,SHA256=7791F59B658065283F436B7C67426A11FDE78DBBAE08CCFCF28B9E22478755F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:21.289{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41330B76304A59684DA222233787157A,SHA256=A64F453B9B18A6AFD6DD9B5A672A782F630564D617C263678AB45CFAC9C369A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403182Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:22.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C40AADFD51FD47C297702711A6C92D1,SHA256=8509DDB20B5FE5C342D9269981701F61CFAAE93444EADE49E5C26E5BCFF218CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:22.319{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B585743CBE56AD1BB3D3756966DB1A0,SHA256=7846EF6278EEE130615874443C425458C4AD79B8C670414EEA38C4B0205ABE89,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:19.703{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001458316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:22.119{D694AEB8-B3E8-60E2-0B00-00000000D301}6566076C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000403183Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:23.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4D9D3AC531D6E2DFF397B169942829,SHA256=440791AFFBEF0E55D6874018708B46D5DCA22FEC1BD018DFA2FA1924746EC141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:23.338{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9C2D6F953CFD882B6932F8CAF8D40A,SHA256=816AA70585EFC032E6D8F85CECD8698C15658E1052BDD5AE239C3FA94A973AE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:21.457{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local63261-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001458327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:21.457{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63261-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001458326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:21.451{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63260-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001458325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:21.451{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63260-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001458324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:21.450{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63259-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local49666- 354300x80000000000000001458323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:21.450{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63259-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local49666- 354300x80000000000000001458322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:21.450{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63258-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001458321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:21.450{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63258-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001458320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:23.018{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8AD838AEEA8C9C0C6905FB545239830,SHA256=C554C8A87215DE4F2AC31E8AB332C9A64314BE5195FCCDBE171D6B08FFC5ED43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:23.018{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2EEE042E1E32675F90BA4A48A479A69,SHA256=E38BD6781098D37903688A2D3362072DE49D646B9494D05F3F183578E411781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:24.354{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23A09C66DC230074DCF136A566D549C,SHA256=C1677BDDA21683DD8A7859E9D6E0C3BD7476798472ACD8C43D6A63E0C08802E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:25.368{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A2368810A31B1BEE88DF4F0D867DE1,SHA256=418EDD4E06A40863EBC6C4920E3A8E2867E64E80215949CE7665DEB66947CB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403184Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:24.999{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCAF8BB4BFA082859D964AB354FF0230,SHA256=C87DFE2D58665E168A66758BDA06F94993E8AAEE16425FF0112A933ECB3C4E51,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001458333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:56:25.137{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001458332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:56:25.137{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001458331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:56:25.137{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 23542300x80000000000000001458343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:26.415{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\permissions.sqlite-journalMD5=01EA03C9D9C6B7262CB9306178E8F8FC,SHA256=3704C92001270382877ADF4DF0C1CA8251DAD82A3C63D442BE3ADB035394701F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:24.595{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63264-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001458341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:24.595{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63264-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 23542300x80000000000000001458340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:26.383{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86BFC4A9A8F7A85B93BD9E5DF5AC3D5,SHA256=A49707E800D684A770D7AF7323FCE3C4CDB60778A92CDF40802049509F1AF726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403187Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:26.436{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F902AF75F80D5E14B904AC16C50C887F,SHA256=3B27E78122A0D344FCA8741155F5B936D3E3319051D75B830661604B01AA4437,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403186Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:24.473{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54234-false10.0.1.12-8000- 23542300x8000000000000000403185Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:26.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13190CFF37402D40754E39630F2E17E,SHA256=D10B58EF7F14D1559051D6262F7BDB915CA9A3FFBA93A4A3C43078368920EDA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:26.152{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8AD838AEEA8C9C0C6905FB545239830,SHA256=C554C8A87215DE4F2AC31E8AB332C9A64314BE5195FCCDBE171D6B08FFC5ED43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:24.590{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63263-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001458337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:24.590{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63263-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001458336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:24.577{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63262-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001458335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:24.577{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63262-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001458344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:27.397{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1885277D4F72DAEA515A0951E48F862,SHA256=347315F14C9E575EF860F76018ACC8E9C5E3E64EBE7591715584495D9845BE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:27.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E23A74409952213816549A89CF4AFF0,SHA256=08C840D05E0625C4CBFA941586FABDEC7BD4B70DDC863560D9C26600514B49CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:25.674{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:28.412{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355ED7FE9BEC9078D8B60DDAEAEC3B4E,SHA256=13999914C515C37A82B86DED39941481AD0F8698A17C120EDEA7B9FB9B030690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:28.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19A741691C994574A60593551E415C5,SHA256=DA99612913C8948581A38093E9D61554E7F8CEED7015F7AABCD4FB51F873DCB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:29.412{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2720CA7C8F04B0DF1453C75C045EC769,SHA256=19A3E1A5B62E52B7FD295E9B35B6B5B4C076B7C0DA8E6C09E1F8F99FEFE4D233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:29.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D0B693E5E13C1A858A18070F64304E,SHA256=3F95CC1570412C3FDCB0E2C0F9C151CC77425939610079E61406FCBD85529AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:30.429{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1022341E7D80083766A12AAFCC685D69,SHA256=40C70E116E3635CE6D6A9C544B9506C3F4B5196CB6FA37B7305AA5E056EE6437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:30.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D7F6A0D2621C32EF76CFE9A694873D,SHA256=1B66AF7B2E2B209D4E02A9A447AC14D05CAB86D3B6926F8B7E063B4F0D4E862C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:31.432{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D823FFA0F3CFF7E0F3C497D0E6ADBB92,SHA256=710C1DD38E9B9C6D796DCCB50564CCBC5860993AF114FE8AC558768F3B603E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:31.717{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:31.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C4B7E7C3DFEF127C2191F1D4A02575,SHA256=0AA9F4D590C20101A8A652B3F6D4E10D8AE6A6FF6F3E5971321BFF4256933E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:31.111{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:30.539{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001458351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:32.478{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6B58E5F9059DABD061B60DF8370573,SHA256=3005B3D3C4015896FB78A37FE0B6DCC2AC5E34075DD44C11E31C7963E7D65EE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:30.442{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54235-false10.0.1.12-8000- 23542300x8000000000000000403194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:32.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695D1891D24EA103C8677C738A519861,SHA256=73B9F1F59B3591B9216FCC16E41B2F63B956EA4AA0D1CCA13CD89598F09157F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:33.508{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AC7F9EC49F7D287260E535DCE49AE6,SHA256=0A7021A3A2AC01D5712403D9D0EB6A93E6B661B705AA1DC7A144F6355BE5C49F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:31.927{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54236-false10.0.1.12-8089- 23542300x8000000000000000403196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:33.030{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50F01CDBC4FD96F3017C64CE7AFD61C,SHA256=8D77F9143532F1D26547A9F4438565716CC4D1CD37DE2FC69454E79A9B8800E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:31.454{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:34.527{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBEB04C069F80677E8850D641198965,SHA256=59EDEBBE968E72019BB87AD492059B76678C8303C0132D219C141EB454CE82CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.592{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F92-60E3-480B-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.592{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.592{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.592{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.592{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.592{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.592{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.592{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.592{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.592{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.592{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0F92-60E3-480B-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.592{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F92-60E3-480B-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.593{7F1C7D0B-0F92-60E3-480B-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:34.030{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E06461721E2EAF8CA8DCA4E47AFA3C,SHA256=A9906E67F4812212D3A5ECDEA33373FB2B4C0160B5942D721975445D472ADF5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:34.192{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F75C4BF2CFAF5B77AADE6DD1CC4389AF,SHA256=6B5C3E3009945811C8EEACE197A11837733D2CB5D46D8EC193C05168C8D2CB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:35.544{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CD785CD5E6F1EE4E4C9F27B5771E41,SHA256=25C5D8E1996B6C4CFA1E22A8FB7A2770C47A8AE812400AA1983219B81D79C32C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.920{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F93-60E3-4A0B-00000000D401}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.920{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.920{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.920{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.920{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.920{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.920{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.920{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.920{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.920{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.920{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0F93-60E3-4A0B-00000000D401}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.920{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F93-60E3-4A0B-00000000D401}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.921{7F1C7D0B-0F93-60E3-4A0B-00000000D401}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA26A6711C814A6A16349786C92B505D,SHA256=2ED57A089C7C1D002B709B4A1968F750723847F81C6BA523F6C6D0BE210B4345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4166534D0FF5C5FB28742FCF3BAE3306,SHA256=81644E19140D86EA27A729A15682801261F311E7A0B4E804B2CAB667631D7FA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.467{7F1C7D0B-0F93-60E3-490B-00000000D401}32803128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.264{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.264{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403223Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.264{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F93-60E3-490B-00000000D401}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403222Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.264{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403221Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.264{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403220Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.264{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403219Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.264{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403218Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.264{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403217Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.264{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403216Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.264{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0F93-60E3-490B-00000000D401}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403215Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.264{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403214Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.264{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F93-60E3-490B-00000000D401}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.265{7F1C7D0B-0F93-60E3-490B-00000000D401}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.045{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95652D46A3FEBBB897D594706D13168,SHA256=91D15EFF1C5C4E84D1B6F7AAB647028427D9B630B6092C9E9B0F88FD34CCF55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:36.544{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272EB076057A2B10F9610FEC0B76563A,SHA256=05CEAB40EAE8265F32B2E082EEFEC480EBC5683B71F2604283C05BA78F9BF863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:36.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA26A6711C814A6A16349786C92B505D,SHA256=2ED57A089C7C1D002B709B4A1968F750723847F81C6BA523F6C6D0BE210B4345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:36.061{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1778851FB02216A4DD95D82ECA0DFF,SHA256=8B8F6300B13761EF7AD8E546CC413012796E2775AC58B93A0FF24D7BCC4CEB63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:36.175{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37B56E6F45B0B9D213DA6FB128B32F48,SHA256=A4B614C469D6CD14D59885A1ED4D1971A241241CDC6309B875EDCD57E5D20ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:36.175{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CA3284415FC88A590961C140D78EDCC,SHA256=394E5F713DD20F660D035474FE738D0B4B97B5E78FD5869AD40F90F09A43D9D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:37.575{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6C37E4A3527CE1C52D2B84775D76C2,SHA256=E087E3686ADED0D3A192A2CEFC512E01747A06402075D58D029DC74C4A91600D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:35.863{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-60865-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000403244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:37.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB37AE1F179076A39ABAB37EE0E43310,SHA256=3049F9F4985F1FCFC5EAF255D76FEAFFFD3273ADC872FC6C85C74A3111E005AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:36.688{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:38.604{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203E589332633C35EB0CAA59D3CD0FEB,SHA256=E6FF4F9E0B94B901B43C5BCB7DF3D24CBD11C47E0E701E76238A0332EC56183C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:36.442{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54237-false10.0.1.12-8000- 23542300x8000000000000000403246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:38.327{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DE6F902C582390F06325565C583702,SHA256=D7F5135B7C7B65D8B618DF75894428F665275512BF413EBCCE37208D68300C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:39.622{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA399690AF83C85896CD0243EE4111C7,SHA256=7B68CB3AB87AC513B989794DCA8BB0DEF3CFEA1864CEF256CEEBF555A55F527E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.733{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F97-60E3-4C0B-00000000D401}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.733{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.733{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0F97-60E3-4C0B-00000000D401}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.733{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F97-60E3-4C0B-00000000D401}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.734{7F1C7D0B-0F97-60E3-4C0B-00000000D401}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000403262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.498{7F1C7D0B-0F97-60E3-4B0B-00000000D401}15643096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000403261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.342{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5303FA200F9BE0D189C320340645A429,SHA256=FDB5596EBC50D5202C8A0D0D2CFAACC36A4150AAB10AC34342CD9BD3AEA04C4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.233{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F97-60E3-4B0B-00000000D401}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.233{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0F97-60E3-4B0B-00000000D401}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.233{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F97-60E3-4B0B-00000000D401}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:39.233{7F1C7D0B-0F97-60E3-4B0B-00000000D401}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:40.640{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C18B90AFCE1B8B510BD6637C6A124E,SHA256=305CBE949EA54288C60CBA9468698A628D4C94E4719181B8DB55801F72D9B0CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.905{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F98-60E3-4E0B-00000000D401}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.905{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0F98-60E3-4E0B-00000000D401}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.905{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F98-60E3-4E0B-00000000D401}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.906{7F1C7D0B-0F98-60E3-4E0B-00000000D401}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.623{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6802AFA923C6EE9038545F6DF66D63E,SHA256=58BFA4F39CD87E9C82BBC18DA3FCED56890B09208AB9508AF574BFE7687315D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.233{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0F98-60E3-4D0B-00000000D401}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000403289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2BE77A3906DCF001D5FFEA174D8B435,SHA256=D941A52E7C2DD420AAF7241921AFA0211FE0D0191080170DD651D9B68868B3CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.233{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0F98-60E3-4D0B-00000000D401}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.233{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0F98-60E3-4D0B-00000000D401}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.234{7F1C7D0B-0F98-60E3-4D0B-00000000D401}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000403276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:40.014{7F1C7D0B-0F97-60E3-4C0B-00000000D401}26121824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:41.670{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3658A9EE77A1F947F50E8DA2437763,SHA256=EB66C0CDBA92287330BBE31A99BBF725D50DBD213F693418880D2EECE199B2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:41.624{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E70675B91C5EC9B3C78DF8558BAC1EE5,SHA256=CC85C1010C3E50D35DFC89082AB2290A2A7BC6EAA78E6F53EFF1C3DD5AFD60AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:41.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD82D228F02D904EA9F5242A33BA39CD,SHA256=AB4A3C352255AE48712032FB11F40271555073391F69AA5FEDE729D94003B1C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:41.108{7F1C7D0B-0F98-60E3-4E0B-00000000D401}3308592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:42.684{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD6BE1355339F68F4D05109871106FD,SHA256=A26EBE1514FBB01AEEF3F6BDB1BACD20EFAB2D392BC59C56FDE1BDEB48AB15C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:42.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662F6E2A672E1363D26E446DF4859C37,SHA256=80BB1F5475ADB8C9AD824823EB8A3A2FEDF6642B50D9CDDF4850113EE9AC0C1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:41.442{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54238-false10.0.1.12-8000- 23542300x80000000000000001458368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:43.699{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359F242B3F0CF8100FDFFFC90AB346C0,SHA256=640314408BF811B4463D68D21ED09C55318B292E3C12B4DC460C614C814B18E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:43.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2B39E7FC990B3BE454DE6AE87F4E3A,SHA256=03D5D7BFEA9E8163FE589B42D55341D0A9B653FAB75D67B8EC960F662E9FC7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:44.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE064DB25178398FFC133F38DE40188,SHA256=604C7158D550213FCC5B909D21FB6ECFFD6DD12DEE583975257A132977FC1986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:44.721{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5597308A734F30B72620DE0EF4CEC6F7,SHA256=C359A579472DDC7DBD00EAD83134C98012C55220F64A2257D67966D6514E4DF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:44.251{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001458370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:44.251{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:44.251{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF166447d.TMPMD5=919ED2825C4A4BDE663AD9667A5FF39D,SHA256=D678DD1D213D56000B1DC130EB771A2956EF5AEB8342955305D734169A4F7A37,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:42.681{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:45.751{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5474EC2322806CD2080C2BEB1C6D9CFD,SHA256=7D49C738C0714BD7AFAB3C221FE1883D77BA86BB3A7D0958228A8E748F72640F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:45.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E7F370BCB26ABC64B04DBE09087168,SHA256=AB348C0F9E3AB7F7C101F8D59797D3C77692604D8D51941D1830E0E54F862E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:46.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E16C30B6D43534749FC218DE1616347,SHA256=4914517E3214468F0B9D3D174CD24288BB619FE0EC28128684A7BE029570F957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:46.766{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D5CC37DA7136D8A485941F1AA2E7FE,SHA256=1E8410F9523CB13A1C28305B3EAA1D251E4FFCF6DAC0C9C893F10BE512BD8200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:47.920{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B294A0A02B6D043BF7C4CB86A2F8A59E,SHA256=0265CF951B55D9F0AD12E22A7895FA992E7E4EB2DF7A9416FABBEE9377A00848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:47.766{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F104A9CB7423BEDC37F37F0DB2ABD660,SHA256=2BE870D24D020DF5770D4D2F8574895FE3DAD6241451CF24B152E04BF0D1A30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403315Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:48.920{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B483B9455F3A87E4FA6A9DD2ECFAD8E,SHA256=87A1098DE41AF81400931612E417033DF4E7A13E299788F5E98108944FD4F25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:48.781{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E079CD98D77BF67FE3F70821DE9A1A50,SHA256=7D3D930542AADFFCE76FDC4885031EA13224A6DD1010996B74F020D18851A955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:49.952{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF1A62E6A1F5E79F538F10BCA9F4B86,SHA256=18171D47BD084CEE40E6BDB96D2AACE193B2110C2F49758D5CE0D595F0146573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:49.795{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC87EFFDE67EE1168234DA0953828C7C,SHA256=D457B42EEF681C7EB0A2BA66918DB3821DCCF9645E9CEEACF3FBEB96D66E74A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:48.693{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:50.812{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C478A3055ADD69F9489760623CD5A7,SHA256=65E5D737B04BDB4AD2674C4A23F987CB9FEA7490C9E23C24F4BDC871482F9074,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:47.442{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54239-false10.0.1.12-8000- 23542300x80000000000000001458381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:51.830{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CF009DA83997A535B0FA808FFF3D2D,SHA256=288084634115155E5C90D526B47627903573984E22B7F5BB37FF5711450F93CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:51.077{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39150CAB9F49A67E65F2D37FE5D3A75E,SHA256=BE0177B157EF1CEF37BCAAC043B4FAD1B652BE9305883CADA4A77806EB28CEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:52.844{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99CD3F017D0BA8F02316B4113E9EE164,SHA256=808E6EFB62F7F73D04EE296651743518D30F5F5E6F0C1998CBDEB81ECA347B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403319Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:52.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089BD80D66E935740C3AC66F58A6929D,SHA256=BB9CB1BA64058B0CAE04ED4EC0950C5DDEB8C554C6D7AD364172875E82EB89F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:53.859{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0838257FEB0D844E4E1511ED99B10A6,SHA256=7D17F91167B5F6B47B5C6C075CDED0F9FC3C92C2B3948F0FAAAFF1DFFA4B36F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403320Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:53.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C186348BC75D0490874B8ADAC6063378,SHA256=4F55F6C2F501519B2511EA0D6E95197A5F102CD1B387EA3C6675BE3DB0A16A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:54.888{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03E3B7E13A4A56CFC22D02CF9110980,SHA256=5714153DCB8ACDD2AB8856A5FAC40A809F137B60526433110ECCB6CE35B71F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403321Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:54.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A266B897B98510D86782391A419DBD8,SHA256=B66F194E3BD2C90967F65552F1171CB7ED99FF14A90F55DDE9A0F2BFE08C2D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:55.925{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9AFBBE948746105486D728E6FA9C87,SHA256=89686AC2223D39607EA515DAD5B05F4B34748FF790C9F0B79C129F293946BFAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403323Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:53.442{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54240-false10.0.1.12-8000- 23542300x8000000000000000403322Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:55.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3462F2FD4861DF9FF1A6E8C8C4B03F16,SHA256=AE44860D504CDE0C49BBAE5F3A57B63347D9468F5462501BE8E3F1F069952FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:56.955{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE103136B27337C0FF154A2C79B0EA6F,SHA256=9CCA066F2EB308F85F1FD469F8CB970DD26925457ACAA61C3CA8816915F23D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403324Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:56.093{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89290AE592455EAD734C7BD765A28DB,SHA256=8B9AD56BF084092746A60DBBDAD194B8A4DC278E50B5D7F14B7946B1AF1C0264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:57.969{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98537B739A0F20E512798C6A4B0CF988,SHA256=42B40CE1D74BBF8A79B5DC0596BC58A4628A905B615D173BA30F20BB7A618384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403325Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:57.106{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787701A2C5C2D85DA5E103D5294E0467,SHA256=5DB650BF4B67D609611CAC0454CB9CA12C8A499084205913ED54337CB7CA87C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:54.685{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:58.984{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517E76CF174D204A9A749B61D32C9A87,SHA256=8959D41A22A1387480CE74CF1CFF2C626321EF2F12EB3352AE542BB8D72D8685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403326Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:58.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED403AFD5ECCE4D1303ABC57A8FD9D4,SHA256=BE798B0A2153FBB090CC61CEE7933185FCE6560BF02358D7237AA36C7B328018,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:58.905{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FAA-60E3-E10B-00000000D301}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:58.903{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:58.903{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:58.902{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:58.902{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:58.902{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0FAA-60E3-E10B-00000000D301}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:58.902{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FAA-60E3-E10B-00000000D301}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:58.900{D694AEB8-0FAA-60E3-E10B-00000000D301}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403327Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:59.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31AA0EC2634686502CD76BE59122028C,SHA256=14773F39C1AA079067AFA16153B64E5F66BBEDD306ADA9DFDCC17D19DA7BA67E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:59.921{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6085102927150F91DF386C2B91763C1,SHA256=FE10713786A691C4493B73AAC0FB448F1F64E8A2CCFAA82D0886D8744A8A9AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:59.921{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37B56E6F45B0B9D213DA6FB128B32F48,SHA256=A4B614C469D6CD14D59885A1ED4D1971A241241CDC6309B875EDCD57E5D20ADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:59.568{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FAB-60E3-E20B-00000000D301}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:59.568{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:59.568{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:59.568{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:59.568{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:59.568{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0FAB-60E3-E20B-00000000D301}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:59.568{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FAB-60E3-E20B-00000000D301}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:56:59.569{D694AEB8-0FAB-60E3-E20B-00000000D301}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000403329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:56:59.333{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54241-false10.0.1.12-8000- 23542300x8000000000000000403328Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:00.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914664D66CD8CA090EEEB2E61FE65CFD,SHA256=1D4917877A05CA1F9F9F822843F08AD81B6640A5D6A9EB894D363E77BA27807F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:00.231{D694AEB8-0FAC-60E3-E30B-00000000D301}5405296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:00.067{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FAC-60E3-E30B-00000000D301}540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:00.067{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:00.067{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:00.067{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:00.067{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:00.067{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0FAC-60E3-E30B-00000000D301}540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:00.067{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FAC-60E3-E30B-00000000D301}540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:00.069{D694AEB8-0FAC-60E3-E30B-00000000D301}540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:00.021{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A394D66D8F95C00E8B3E1ACC994E65,SHA256=496347B29C418D97188322F53BAF1F628637B0DF38CC08095EDBFB4BB7256E42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:01.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F84D00BAB937CEF48453CA003C81BE0,SHA256=34898CA1AF5D5427E58D0683E41A25D308F812C3C81FF9E36356818FFD4E29D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:01.093{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6085102927150F91DF386C2B91763C1,SHA256=FE10713786A691C4493B73AAC0FB448F1F64E8A2CCFAA82D0886D8744A8A9AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:01.046{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9420371F3BB1BFA7911F2134B04BE19,SHA256=EBB1A68567CABE7627FE9EE5047B28CBF7C45C98BD3206211DC433F92DFEE25A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:02.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD72377918A1A2F8DFAC64E4FB57FBC,SHA256=B44657E54E8EA5B25DB06C2474523420D30F9B7C4038E0110411F4F0E61CCB56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:02.729{D694AEB8-0FAE-60E3-E40B-00000000D301}54046292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:02.560{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FAE-60E3-E40B-00000000D301}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:02.560{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:02.560{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:02.560{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:02.560{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:02.560{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0FAE-60E3-E40B-00000000D301}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:02.560{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FAE-60E3-E40B-00000000D301}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:02.561{D694AEB8-0FAE-60E3-E40B-00000000D301}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001458423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:02.529{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\SiteSecurityServiceState.txt2021-06-30 11:32:16.412 23542300x80000000000000001458422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:02.529{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\SiteSecurityServiceState.txtMD5=AECD98D4CCB99599C4635981F1DEF43C,SHA256=8E15D974107E1A6E356F625EF3CE268908EA331166DD3E11296EFF3C9A6644F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:00.453{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:02.061{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3B22AE900B804BBE74D4A151DD65C6,SHA256=77F47841EEBF62FA03BE0D16855AB90315E0A2DE0823E22B55A67573FB7CA38D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.813{D694AEB8-0FAF-60E3-E60B-00000000D301}71046020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.660{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FAF-60E3-E60B-00000000D301}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.660{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.660{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.660{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.660{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.660{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0FAF-60E3-E60B-00000000D301}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.660{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FAF-60E3-E60B-00000000D301}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.661{D694AEB8-0FAF-60E3-E60B-00000000D301}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.575{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25C2627405582DA567B9E35F60450995,SHA256=3DD02695F511F5D501012AF4A6486F49D1B7471D97BE866AFB0BAAF88EB483D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.276{D694AEB8-0FAF-60E3-E50B-00000000D301}48925488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.129{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FAF-60E3-E50B-00000000D301}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.129{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.129{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.129{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0FAF-60E3-E50B-00000000D301}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.129{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.129{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.129{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FAF-60E3-E50B-00000000D301}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.130{D694AEB8-0FAF-60E3-E50B-00000000D301}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.076{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29F85D42A18AF3A891B03CD851AB9E6,SHA256=2BA35395EE8B3C4EB43833687847D6E4002D0BD7A193889D861C6E40414CADA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:03.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876B03896C95410279E0089097C80ECB,SHA256=7728CF1CA75AD047136BA84583F56F1A0682BC328D286DBEB7C58FA0DA51311E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:04.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE553BE383936A0B394E5FFFD658D5F,SHA256=3386F3445B047382BDEF0C7B68C3C16B0248DB6D6EB1E4DD375ECD87531DF6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:04.675{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0330F41BCF0686385E983ED157B98B4A,SHA256=1DE7F354720C4E058BED5FA4679ECAD5DB44B08361BFC4139FD1C69E29552A3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:04.275{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FB0-60E3-E70B-00000000D301}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:04.275{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:04.275{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:04.275{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:04.275{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:04.275{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0FB0-60E3-E70B-00000000D301}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:04.275{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FB0-60E3-E70B-00000000D301}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:04.277{D694AEB8-0FB0-60E3-E70B-00000000D301}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:04.113{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAE51AE9CE5613283EC172D286D6574,SHA256=2F6069588E4487AC8CFBE0FB4467EFC5139A0220F697A43EA63616966DDEE481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403334Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:05.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBC8C5F949C81204A3506ADF0002528,SHA256=927E5D492926094A4F36E96743AA1D8FB919BE9574DB585D828D72AC5039C0BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.635{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63273-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001458464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:03.635{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63273-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001458463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:05.128{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7F88716D42AE39AE901B0A7F124F7B,SHA256=0FF5BC0F8765615B16FD9B2F49EA1CDF5CE989C1C5A291CCAD4DEF3132B11031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:06.142{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962060FF807A3BC16AE80A06EE49476D,SHA256=BCC412C17F8D4736721389978A711C1208AEBECB55409B5AD4D4E3BEFC08FA80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403335Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:06.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF5F43965D8530B066646459F088174,SHA256=9A27CA46195848696483D2722EAD857D73C419450CFA6576781D920A2C949CB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:05.686{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63274-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:07.156{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F091FB30D7D65BCF1B9450A84706FB66,SHA256=835FC4E7D27D470622A556CD66744AB80C7F05F549B80CD7B80C262FF4C5F587,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403337Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:05.364{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54242-false10.0.1.12-8000- 23542300x8000000000000000403336Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:07.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941EA3A9E1CD4D1202A540315A73963F,SHA256=35228CBAB4A267D3E2FDA611CE7B0AB981082DAF7762873139E70557F34CAFEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403338Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:08.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBBDF33F98E77D2C5D4C597FD3DFC94,SHA256=574B055150CC5EE3956908EB09F005FF152795FA43E9AA5D5B1710FCB220E8F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:08.171{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A579D19E8EEFF097C0B37B05BF9A0B1,SHA256=291407BFCB74D6384AC2F57680FE397F6CCFFA8E326056556BD367D64968E7FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403339Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:09.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A13FC574B0973ADDF120C28E9A6F542,SHA256=2D9EA595EA7B59617E69C2F2373BB19ECC436DFD837BFD057F5D04130FA9F235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:09.186{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0F92205E8DAD773281D52EAC12C791,SHA256=0440E3504DBA6BB8F2067C91313001A9A413CDDA07A7E39268620BBBC9F58B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:10.203{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C28AD6F959349ABC68D64FE75D25CB,SHA256=1ECC011A5B734B6E57D07456485E70C516F762BA80A0BC357C02AE2993EF6DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403340Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:10.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EC0D49AEF3C5D5FF2772D24891C515,SHA256=07C25555BA7443873AFA9C6DFF00BF992A3BB371EAF969FE56DB7EDD32EFF0D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:11.221{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978F78E1C7CF2EA87291085E87AE57C3,SHA256=F31D374E81B2B06C1C04D9729640DEFB2C55F7FABBC1035542C668D569FFD8A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403341Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:11.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22CE8AD4506F76F0BD2D9FBCEF74426A,SHA256=69FD9F69A725CD468FA14DF5A3ED0CE0E3632629454A9A79BC80D1AD460F2D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:12.251{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3536FEE1EDC0BC2CC5F75514ABA57089,SHA256=68029A7F02192A4FF4C89A9DAF4469028404E4B7BDBE044A62D441C404373CCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403343Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:11.380{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54243-false10.0.1.12-8000- 23542300x8000000000000000403342Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:12.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5570F48905034FC12D54E54881DE1CB,SHA256=060221757184F0E1FAE96039B174713DB5B26159DBE1D678FFCBE7A2D6F1D90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403344Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:13.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4831B2E07FD104188E34B0D6590D23E,SHA256=193B83E1A08631174DFF7F2DC1C3344E97058AF9D31B788EABF1D6612A1DB99A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:11.679{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63275-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:13.265{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BA590F82BD2808A5B0AB298CACD53E,SHA256=84A22B9794C376CEDAC71590121CA72F45F2D9AE292617CA7FB898EB13CE7215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:14.648{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=24E00C6EB8F43BCC2CF37CC523EA44D4,SHA256=0C1F266C958E23034BAE614DC9D40FB636793733EAFF04D4A318AC7672A814C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:14.280{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1744B99E61767EAA51379AD6426FA122,SHA256=B211EFFE8B31B1F27E139186E93A0C7517F1CB539E3CDB8A862549CB162FA6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403345Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:14.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BF974280E05A03A02101B466CE0755,SHA256=B89AEFB2C1EDFBB8DFD9748F90BD68AD7218845FB2238B84532B1800FD8BC445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:15.616{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=022C5AC1A6A11092D4E25123BF559DB9,SHA256=942FD907FE270CF5217DA9E38A724ACB41A2821EAA866CFC0A1EC0CF9117A97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:15.616{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C9E10CEA564DA5A7EAECD299872BBC0,SHA256=C2C6A4954DB68AB51D37794E7CA8079F11AB45C1BDCA42C2DD03E17574B9E4B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:13.839{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-21707-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001458478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:15.297{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12978BEC83521B580BA93190C1F8E85,SHA256=E5DD76A0690B702076AB8B7043EAD0EAC17B673A17FAB610A9748D13C57EA88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403346Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:15.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B77925EE57FE60D4ED145FDBAFDE42,SHA256=82807AF93CA588907CA6C58C5EB140380BA073613CDAD4A6CC63D0DD561840F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403347Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:16.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4FAD1A4FE8E3B3A1E8069FFEB6B8C4,SHA256=4FCF4A65A9D10DAAF195F0D2DA7D915BC4E6F69510B70A9A8022EB95439FE2CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:16.316{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9006D788C54D0ED3F1C832DAF8EF196,SHA256=B7E6494D55DDFD9C2ECFA49D95E9181A79C440D5FB3E503DC2FADB74874CE4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:17.346{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B13345A233D53CE987B67CCD97F87B,SHA256=A1D15F46DB3B676943F08C1315E847F4AEAD011012F08901C2EB3B84D91C65EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403349Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:16.380{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54244-false10.0.1.12-8000- 23542300x8000000000000000403348Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:17.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84AEE95A0F9A48AA7C17E02E0B3D4A83,SHA256=7AA8CEC48A0FF7CA3EE7B15121CAC769B4FCD587F42371FB3A45735B9A4F895B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458484Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:18.347{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCAFC2471DB4F5477B0E9C735DB9965,SHA256=E3E34828C6BB4BE2DD93F23F4D4D1A63AD699DB96B6325CDE8B466C23FE8412D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403350Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:18.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA55810FC891F0C213F98A420BFEF73,SHA256=717C29D11A01F22F5AE6DC28066540A42B1928A883DA574A71C0D779CE2DD35D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458486Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:17.676{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63276-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458485Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:19.378{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A268B8956B4D00FBC74406A6FAA12A1,SHA256=38371A180C3B107D8606E134497E04990F0D53E81D5E8B652DC7F921D57CDE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403351Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:19.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A52074809CB4E7FDBEDE13CB481A487,SHA256=1DFEBCEB25F74E46BB1B979602E0EA347FD27B428B0087457511875FD60898B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458487Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:20.379{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED0DCBAFA22731EEDF8B4D17506CCCF,SHA256=A608156AB773EE561D990796F04DA853C30A106C30736C12F47F52A6F4483CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403352Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:20.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5618182B294DCD80A3F2CC8CFC5910,SHA256=CB982856E325A605EDE00082388A5F301D25B5FFCB460A6BDCF16ADD0CD89C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458488Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:21.397{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5BA11F96AC5E1E631AA36EB369820F,SHA256=56238C64B43BDDEA276C75EE06721FA1D08ED7BDD6187DF71DFF6F3D22700819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403353Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:21.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F39A0982EBECDA09793CDE4527A8527,SHA256=8C5B9120F500D98B5F0900CFFCC5D23EB40E2CF005CA112294E75FBE2C7588D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458489Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:22.415{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1003B35FFB8C99D5618C85B7FCB0ED,SHA256=697578DE9D01005E72CFFCAF0EC17A8C193E400AE2A68E30C98C7360B75C4936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403354Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:22.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7357C67EDADC105D10A8F4A4FD49EF,SHA256=C08DB9623B7ED7F6F0F180FE1077985EDDDD761B9A7688D611C08A9585A4C6E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458491Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:23.445{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC28786F197DE1F8B62CC62237917AF5,SHA256=8EBB11DFE9F3DDC8297673B07C8235A0974B377F051A171AB68924C1B557AC9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403355Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:23.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B746E748EBC91414BC44C1A6004E93,SHA256=2D71371EDCDB88B1086C498742A72DAAE9C698A465887D5B3025C6B48D60AB00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458490Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:23.014{D694AEB8-B3EA-60E2-0D00-00000000D301}9163368C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458492Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:24.459{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F02F485AE68C19E7762958363DB076,SHA256=AFC4DE2C28E941E351BBB7DA5E33D15AFAC1B28CCFFAA3065AFE9120C143D3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403357Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:24.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=686329C0D7C7E3A2CDF8E9B9FFF86254,SHA256=0358C3D092D85E7700A5AE74FCEE87B6976F354497CD795C661AC0AA401E7139,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403356Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:22.365{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54245-false10.0.1.12-8000- 354300x80000000000000001458494Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:23.656{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63277-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458493Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:25.474{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D713957D0BB235010F2179F5C52C13,SHA256=040E5E0420A234EEB38174D7E1315FAC9BDE3EF03739881AEFF8EA2D17CE3581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403358Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:25.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA884BC88091968E02EC4ECB69C3DFB,SHA256=3D53C5D0A06DF035CC653CBF93B5777BF78DD24D4716D855CD4474C72914A88B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458495Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:26.475{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C9346DB9641BADC2A9988C4C3EC4D3A,SHA256=A0C260B763F2B51995B59329049F8A87B067B0DF8BDEFD5647ABCFBA639C06E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403360Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:26.436{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C550AAD8C80FBA238117B47F547A07C3,SHA256=8EE2E5C57670F11A2E5286FDE2E051E02D65A841E274DE32528E3D3305240DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403359Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:26.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB37146FBEF3BDC7C96163D103A62B05,SHA256=BA9595F3E64FD7704B81AA6443AE8E8A92ECB682FA2C4D550724445ED45B4970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458496Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:27.491{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1048155EE0F6BAA53917BFA47638EA7C,SHA256=501FD660C94C50F1C5EA0A689C29C383BB2A1045D8A7FE772BBCAFA069944617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403361Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:27.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F38AAF8769690CF87605925560489D3,SHA256=1509774BA85D19B0E48845D0020F15A65005F4054ED64D9637351E91E119EE11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458497Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:28.525{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CC148886B51CAEE48809F61037CE0F,SHA256=45ED98EA752FBA3A43A227F022A003B627BE91201503674E23748F73AE1E87EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403365Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:28.249{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403364Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:28.249{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403363Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:28.249{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000403362Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:28.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8A54116F57162F12D4A0F86ED2A8F0,SHA256=02C6BB9B7CAB955DCB8E6DC6B6D3A1A2BFAB81619F9206B735CC2984D0B22984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458498Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:29.539{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B64B8E5949C0116B43EFA1DDB53A0CC6,SHA256=C112F4E0C684AA24B26912A136A45536566450F39CF77E69A351C61374E7C197,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403367Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:27.381{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54246-false10.0.1.12-8000- 23542300x8000000000000000403366Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:29.139{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8220D1B75C7106512D2E8D62C9F3B5A8,SHA256=FD18070644E400D25A33AC0E5184CE7960F50DDDF39388759260826CFB532C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458499Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:30.553{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F564F030AF51AA30F04599C8BC5A4956,SHA256=DD9267EB9625B5A08D913DD1126D36DC4C8B62BABFBFFD37B223D41736D2148A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403368Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:30.139{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB87CE3998388564F9B42B7177A5425,SHA256=D8E0156B8C9BC7FDB4EA85EAC5AF745F25C5650B0EF9DF6B2356491DEDC29AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458501Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:31.568{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67BEF547A03B319111693A590B5BAB6A,SHA256=C49814C074402270AF6454791F0A4E5188286C421130BB9F29BE55AF19BA83DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403370Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:31.733{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403369Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:31.139{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965E2D1E2B4A298D9AFC6064C49FBC7B,SHA256=851F2CB3EC76E4D42C3932DECDD03884C960095BBBB8B019E1851733A5F257BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458500Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:31.137{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458503Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:32.586{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1072F7CDC0CE4F9D45C7568C40EE6FFE,SHA256=1FA9BCB98A1C63E5C49536FDE58EAF73362EDC3BC4F01C4955F268BF292E4A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403371Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:32.139{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEC5185F192E9E9046843C01CB5525E,SHA256=2D3283510CE3B213752E59EC81B06F0CE64A797C036863D2F5616F0461E5BC31,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458502Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:29.666{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458505Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:33.603{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D85822A96796B33370D9E292CDCEA9D,SHA256=F8FBE54437C434622D20E65AC95E753B58136074541D1D5740F81A41C55A6BE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403373Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:31.943{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54247-false10.0.1.12-8089- 23542300x8000000000000000403372Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:33.139{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298DC4F112BAFAF0609EFDE2523816F4,SHA256=46B293B2B754A1711FC6F72723B3052AB65775B0D7AFFA1B2D0E8D08227B6A25,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458504Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:30.565{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001458507Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:34.617{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D5E884C413B675485718D5E7C2FFD2C,SHA256=08992E454B92FD1541CC0AD8D327AE7B4BD5E252C92F3A19A66400BBA5FF13F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403388Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.764{7F1C7D0B-0FCE-60E3-4F0B-00000000D401}868512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403387Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.608{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0FCE-60E3-4F0B-00000000D401}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403386Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403385Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403384Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403383Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403382Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403381Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403380Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403379Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403378Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403377Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.608{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0FCE-60E3-4F0B-00000000D401}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403376Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.608{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0FCE-60E3-4F0B-00000000D401}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403375Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.609{7F1C7D0B-0FCE-60E3-4F0B-00000000D401}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403374Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:34.139{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C198FE679A25C8DB85FB9F060AC9F8C,SHA256=6D2426594C777AFB2F8C162C1F41B70DBC19D5B9C2C4C522CFC212235BD4D94A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458506Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:34.202{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3E2298A50E766B4D9590FFF6A03D7ABB,SHA256=4AF99FA98A072FA1AB6DEC72C313366FFF7C971342AA77DC8D87A7D43DC4E7A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458508Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:35.632{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE74D06D838245C2FE4E3FB7235293CB,SHA256=8A6C3537129DB45DFD37357C96B9C8751FB98A9E9ADC15BE94E55F2EA72D342D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403418Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.952{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0FCF-60E3-510B-00000000D401}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403417Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403416Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403415Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403414Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403413Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403412Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403411Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403410Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403409Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403408Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.952{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0FCF-60E3-510B-00000000D401}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403407Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.952{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0FCF-60E3-510B-00000000D401}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403406Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.952{7F1C7D0B-0FCF-60E3-510B-00000000D401}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403405Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDAF54427325F695A739FC7E597DECCA,SHA256=199E1FEDC856C8F72D4B9559D3B7D5B243DB9AED22CFEBF9C5DF8DA669D46F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403404Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86E815A106DF4A0539B2AC410CE90D9E,SHA256=F2378F84D0BE64A770AF2092F058B90856F40F14558B2836BF5A9B5AB87AD2F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403403Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:33.365{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54248-false10.0.1.12-8000- 10341000x8000000000000000403402Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.280{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0FCF-60E3-500B-00000000D401}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403401Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403400Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403399Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403398Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403397Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403396Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403395Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403394Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403393Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403392Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.280{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0FCF-60E3-500B-00000000D401}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403391Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.280{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0FCF-60E3-500B-00000000D401}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403390Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.281{7F1C7D0B-0FCF-60E3-500B-00000000D401}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403389Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:35.155{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39B7F0B144B1452562720D76CDA6FA9,SHA256=B96CFF7CF7444E1A484FEEB89EBABBBB38B17ACC25E1917DE545A0F9F23F1F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458509Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:36.662{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19866C50F3759B24764223F7D07A94B5,SHA256=C661286CDE8ABA0D016B2D17702CC1F04B6842EBB503592B8250D4CB2038139A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403419Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:36.452{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15092EAC0EDE6CD9B32E22BF729143E,SHA256=F4D060561F1C7C70DBA82AC77630092ABED72C94FA9BA18BE6794930E3F7DBBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458510Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:37.679{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9231EC9F34D304E01CD815A94B26061C,SHA256=D67944E16E6F8EC44B743B6D5BE6016938CEA02DAAF1089FEB02A1628BCA0366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403421Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:37.624{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D65976CA642AA486D46A036FD478D31,SHA256=C911C35E4505DEF31E1A3393430BCDB9F43B7610E1E7575583CDB44096A4732B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403420Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:37.030{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDAF54427325F695A739FC7E597DECCA,SHA256=199E1FEDC856C8F72D4B9559D3B7D5B243DB9AED22CFEBF9C5DF8DA669D46F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458512Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:38.698{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB383F8E7BA263E2C1199E2F8F9EB24,SHA256=717D78A3DAF8C1A048499C266D5FAE427F7A4E5B0433D5FBF70C2C65695240F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403422Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:38.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A79EAC772CF3406563B1852AFEBECB6,SHA256=7AFCBBF65785AB6E123A5E273C94E2383E20D6DCEBF5CAC0AEDC990C6642CB49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458511Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:35.659{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63280-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458513Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:39.728{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5704E9344DD77EB09E3411714DE0E6,SHA256=4C5D2B447B588B73AE8831B7C7AE6DDEE94A0599E4DBEEBEB4DF04CD9BF5414F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403450Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.905{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0FD3-60E3-530B-00000000D401}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403449Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403448Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403447Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403446Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403445Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403444Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403443Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403442Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.905{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0FD3-60E3-530B-00000000D401}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403441Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403440Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.905{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403439Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.905{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0FD3-60E3-530B-00000000D401}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403438Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.905{7F1C7D0B-0FD3-60E3-530B-00000000D401}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403437Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7162A99A2A13A8D9E0C59583EE303396,SHA256=FCEF8F2FC801C9243AF273D7548D4B11FF864652C27414B0B594C855A1CB0617,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403436Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.420{7F1C7D0B-0FD3-60E3-520B-00000000D401}36122732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403435Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.233{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0FD3-60E3-520B-00000000D401}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403434Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403433Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403432Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403431Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403430Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403429Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403428Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403427Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403426Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.233{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403425Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.233{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0FD3-60E3-520B-00000000D401}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403424Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.233{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0FD3-60E3-520B-00000000D401}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403423Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.234{7F1C7D0B-0FD3-60E3-520B-00000000D401}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458514Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:40.758{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE25B26186187CEDD98A2C53219ECC3,SHA256=F2F515EC24E8FDE2C059D300F4E95C9E28A994E4385476B3781B3FBC57F84FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403468Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.967{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A71A2F1C55160BF7639B1B985F46D1,SHA256=0CE75F009D20464583F4512F0533DAA31D7713430A878CF6639A8E871B29AFD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403467Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.764{7F1C7D0B-0FD4-60E3-540B-00000000D401}40441076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403466Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.577{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0FD4-60E3-540B-00000000D401}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403465Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.577{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403464Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.577{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403463Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.577{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403462Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.577{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403461Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.577{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403460Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.577{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403459Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.577{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403458Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.577{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403457Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.577{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403456Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.577{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0FD4-60E3-540B-00000000D401}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403455Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.577{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0FD4-60E3-540B-00000000D401}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403454Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.577{7F1C7D0B-0FD4-60E3-540B-00000000D401}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000403453Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:39.349{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54249-false10.0.1.12-8000- 23542300x8000000000000000403452Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.249{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=059E11C3AB7B2579536B3A9657C5B4CD,SHA256=39D41CEC44BE59002D2278EA0EA5446A272012628C3AEE690724FA16CAA5E056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403451Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:40.108{7F1C7D0B-0FD3-60E3-530B-00000000D401}3562544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458515Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:41.776{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21FFF5C53EF9D41CC2570B1002AE3E3,SHA256=215F57A4D38050E96357B78061589443EA928D16932F69CFFA831D5F89444214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403482Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.608{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEB41DD93D0CA75DDA2BAF81B3D45BE3,SHA256=D0A916A08BB88CEFA8193E78F233BB9A897B0A2FEA1E681BDA7FBB1C18ACE262,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403481Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.249{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0FD5-60E3-550B-00000000D401}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403480Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.249{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403479Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.249{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403478Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.249{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403477Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.249{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403476Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.249{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403475Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.249{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403474Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.249{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403473Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.249{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403472Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.249{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403471Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.249{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0FD5-60E3-550B-00000000D401}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403470Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.249{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0FD5-60E3-550B-00000000D401}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403469Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:41.249{7F1C7D0B-0FD5-60E3-550B-00000000D401}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458516Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:42.809{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C47C5B237C88DAAEF444A188BC0312,SHA256=137F5BFB3AC9CE9B8BA4E1448AEF5A1379A04450D108729BB1CD7C28A785DC5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403483Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:42.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D78C9AE2144C077C40DC313A8A44D3,SHA256=4584C12A3B20B095F67F9CE5A9EE97AE70E2DD8BD5FA0D9B6A54F882D126589F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458518Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:43.823{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D824209E21B7C7223E7BE0811D97D7B7,SHA256=01E757B5B88BA1CA2FC6DCAAD1ABB27426E2AE846604AE143DBA7456CCBF3E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403484Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:43.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DDDF17050235B9329CCDE40C1632F96,SHA256=B07778344ACE39CC58BF4D3F9C479C6C99B3E03B0278D92848C72D280AD7A00C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458517Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:41.653{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63281-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458519Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:44.838{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626F690A961637002FDC4B0DA55D2738,SHA256=12FFE48E78BFA74615A86F2E5903E7D87F6CCE44B020256816975486B23DCD9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403485Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:44.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93DE367C94C69A76D78D10325ED4655,SHA256=A6AC0DE9D0D8089AF0655264D316F6F7583BFF7911FD39FDF6877732ACF551AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458520Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:45.871{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D49921926826BD4576A2E407015AC60,SHA256=68AF20B3BA91C63F99E3376E7B3E9B168359A1334287F9DFADC7CC95E6F6A65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403488Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:45.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87BAD317FCAB2CB6BDBC328AA6E9F757,SHA256=434F42AD1B3C35E11E10D2875AE5D5742BE72A76A29453776F5F80CCC1DB7425,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403487Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:44.648{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-61634-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000403486Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:45.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19ACC3DE387191E525B9996AB8144D92,SHA256=F287D676B717AA7CA791DA17CD314A2E0273173282FA40DFF923ADD89AD9EEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458521Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:46.889{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A48686AB524A4F9567C4B1DB7E1AC2,SHA256=617A0BCE0E23182198A2CCB26AEF6E694E649FA1FD16D4F78F728E88934FC251,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403490Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:45.349{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54250-false10.0.1.12-8000- 23542300x8000000000000000403489Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:46.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B608D974DFAC3B7DA161A38CDBD523,SHA256=6ACE0EE2582A4A75BA84C11510784DECB2350B4CB5FF1A921248994B1DAE82BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458522Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:47.904{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD77DE9260D0953CECFFA6514AF8900,SHA256=A7BAA32D40BD81BCA7B935B14B109B127C2B5A3DB69AD0127CBBEE01C0617EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403491Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:47.186{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22F22D9631C1A5276744270C38754BB,SHA256=77528D5F1256A31B213CE73A35D98C43F4A75094F10D67E7BAA4BA40F619F505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458523Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:48.967{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A729541B6A90C145FEC06148DBC81F71,SHA256=B22AB152EDE7BA665CB22DCBC07C5C62B9BC94618B2F177F8E924160B0CD1D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403492Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:48.186{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E211F5946139BAD6A79227271BDF1A,SHA256=3B2A629AD053DC03263F48CE6308106749517E980CB7FD5036F00E3D6F9DE70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403493Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:49.186{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A680CC5F9E7D42B45500BF5B9A43064F,SHA256=2A08D2A9155977CFAA31CB50E7D18B9732D15AC2DA311A3FBCCF9C8E1914A9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403494Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:50.186{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37797576D6F4EB2DFBC26D90C45E7241,SHA256=54713A7AA934B7E7FA0BBC4113385E24D4C6B06491E052A76AEBAC2D4B5D16B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458528Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:50.501{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458527Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:50.501{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458526Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:50.501{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001458525Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:47.679{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458524Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:50.002{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F585A6862A3DA5816FB212A0312C4314,SHA256=A249992A88E478D39FF5AA051F22043FD2A5BC776C28E49D0B5472771CBE7DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403495Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:51.202{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236742009AAA1C03CA0A6B5437DED924,SHA256=100F40D68745483D6C486A7735D007043FA3AC8CF6F02BE736A03380CEFC2B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458529Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:51.002{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274997925BC4B49C73102EECFB4A8B08,SHA256=DACE2288F3877E4B628E9B0E7FD8F2AE5237BBB56E006CFD014FDB5D2F54B86D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403496Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:52.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D227CA6B88C1A62DA35208DB141ED6,SHA256=B15166CBE02005CD614D0B6ABBC1138C6DA6DEB859DDB07E0ADB3F6A86B48EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458530Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:52.017{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E545D0E39075316C417B5B528A7FA1,SHA256=E0900A0EC4BD89EA174D3B4B6A4044E8DE1BE140ABB589E7A9DC218371CCDC6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403498Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:51.350{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54251-false10.0.1.12-8000- 23542300x8000000000000000403497Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:53.327{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8B78425C297050296300586A3ACBAF,SHA256=CD0D709A35C8F6F9D89648B7BF57DEB9C0C7AE9F0DDF212723B5934F723FE42B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458533Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:53.966{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F03C55DB31BC482A14C5DD9733270640,SHA256=B2FB1501BAB202D82EC18CA9FB413F9F85A78F0857FC8FF78094174073ACF8CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458532Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:53.965{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=022C5AC1A6A11092D4E25123BF559DB9,SHA256=942FD907FE270CF5217DA9E38A724ACB41A2821EAA866CFC0A1EC0CF9117A97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458531Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:53.032{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405427CCDDD6C9B971D5665E80F982AC,SHA256=880D633A32910126F8A114166DCAC1E8C44204E4C7701C7F18E3E56376F48BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403499Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:54.358{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153D0AF17E4F151A949F560408440101,SHA256=ED30563B71744AAEF225237B6AAE7C779A6D4E96BE99A2A29E17563E868860A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458534Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:54.064{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CAC3EFA0A889103E763160700D6EE4,SHA256=B64F642EF9156B1C6008656DA0A54647D2755CA5E13E23781E9650A53214E7C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403500Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:55.374{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A18577F8B45218198490B84DCD0AB511,SHA256=2CB96C7100E5CA8532F517ABB3D02A4DB0DB6C9AB8EACDA54A501866CED32D45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458536Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:52.691{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458535Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:55.082{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D39EC2F46831A78F4C1B73223C8B5E9,SHA256=31F92B6C00DB451D147A9DD5C5D254A0B5EEC5A4E5B9E3AB48381B00B37401FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403501Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:56.514{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9520BA4643AE789CC06305411EEC4EED,SHA256=EB708D380F6D84F49A2FEBDE11F3A665588BC2E665A0D3B2D0E0C81BFD6A873F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458537Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:56.113{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F0B48C4E4C1B7D4D5DE1654410535B7,SHA256=A0A584D914A21F0FA96078B496850169CB8A0A0100503C0D462FE33774B689E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403502Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:57.688{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953D95F474FDA93DAA5CDA0A17FC728A,SHA256=779FA218AAAC96430F353ABFEFB5E13A50CA9DCB4EF5ED2B2B5C0502F3326D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458538Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:57.127{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D69DAC157CF70C3C6F01E79373A9BDB,SHA256=BD4FA7599F99E8B872F6DA6C4AF2A9360DF75C2788CF4077F73A5F6C4DAE671C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403504Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:58.813{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACDCCD95190834029F99FE08D482666,SHA256=F8DED7C6A9C85541E12C0E9DB3F8EB2EE63A2652D275084084A5AB2958308FBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458547Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:58.910{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FE6-60E3-E80B-00000000D301}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458546Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:58.910{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458545Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:58.910{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458544Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:58.910{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458543Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:58.910{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458542Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:58.910{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0FE6-60E3-E80B-00000000D301}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458541Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:58.910{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FE6-60E3-E80B-00000000D301}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458540Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:58.911{D694AEB8-0FE6-60E3-E80B-00000000D301}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458539Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:58.161{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3550A3CD60ABE12D37AE88CF313EEAC8,SHA256=326FE1ADCA2E8663B239C773BEF9B6CF675E5623A818974B632C7A4CFBD0D03F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403503Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:57.352{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54252-false10.0.1.12-8000- 23542300x8000000000000000403505Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:57:59.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9C84A0A520C17C36DA8867FA7355D7,SHA256=AE32C783C65F91E73AB53DECA02D71D7ED36D383C9B7A574494B69E533E35FBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458557Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:59.725{D694AEB8-0FE7-60E3-E90B-00000000D301}54766388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458556Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:59.578{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FE7-60E3-E90B-00000000D301}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458555Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:59.578{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458554Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:59.578{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458553Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:59.578{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458552Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:59.578{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458551Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:59.578{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0FE7-60E3-E90B-00000000D301}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458550Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:59.578{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FE7-60E3-E90B-00000000D301}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458549Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:59.579{D694AEB8-0FE7-60E3-E90B-00000000D301}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458548Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:59.179{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB14C1C83F413E83380F043C4CB36D15,SHA256=F0DF1594EDCB5F9008877A21600056E4488BE274AC817165CE6FB548B93E2F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403506Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:00.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3469CD7DB04926CA15DEEA6479D72798,SHA256=88F1BC2596167D461A8845F92DCCABB8E9CA3F56F81AADF3DDDE65F56C807587,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458569Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:57:58.703{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001458568Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:00.261{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FE8-60E3-EA0B-00000000D301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458567Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:00.259{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458566Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:00.259{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458565Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:00.259{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458564Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:00.259{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458563Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:00.259{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0FE8-60E3-EA0B-00000000D301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458562Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:00.258{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FE8-60E3-EA0B-00000000D301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458561Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:00.257{D694AEB8-0FE8-60E3-EA0B-00000000D301}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458560Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:00.194{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064BC4A732D07BA876F98C043764A001,SHA256=EDAAEA9AAB4B6A58087C94D973A8B67885BE3A0153F3E669920D6EDD19BA7E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458559Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:00.041{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52B95D7C44B5207627737E9F3B374AA8,SHA256=87AD33AF9D5FFEDA0DABC4ED5DEB8C9EE886AEE8305F680D2AD5DA7BC9EB37FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458558Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:00.041{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F03C55DB31BC482A14C5DD9733270640,SHA256=B2FB1501BAB202D82EC18CA9FB413F9F85A78F0857FC8FF78094174073ACF8CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403507Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:01.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D9C3E05F688395E37D568DDBACAEAB,SHA256=ABBAC8DF816F5F5A84642F49ABAF461A431F0ADA15EEF59F8988A38E8C7309D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458571Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:01.340{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52B95D7C44B5207627737E9F3B374AA8,SHA256=87AD33AF9D5FFEDA0DABC4ED5DEB8C9EE886AEE8305F680D2AD5DA7BC9EB37FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458570Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:01.209{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A782060F7F73C8DCA7472597D2FF0CB,SHA256=A4A4938ADE5B90F9CD6E8EE98FDE440845C75DAA273810DAD3357E09F1A1F7CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458581Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:02.723{D694AEB8-0FEA-60E3-EB0B-00000000D301}28605548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458580Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:02.576{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FEA-60E3-EB0B-00000000D301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458579Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:02.576{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458578Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:02.576{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458577Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:02.576{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458576Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:02.576{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458575Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:02.576{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0FEA-60E3-EB0B-00000000D301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458574Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:02.576{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FEA-60E3-EB0B-00000000D301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458573Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:02.577{D694AEB8-0FEA-60E3-EB0B-00000000D301}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458572Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:02.239{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2F6C37F08A16CFA28448381A2AC9AE,SHA256=81495C98045A13E142739DC1D3A39BAD2369FFF288CD335F237FC23A336630CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458600Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.922{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FEB-60E3-ED0B-00000000D301}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458599Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.922{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458598Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.922{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458597Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.922{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458596Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.922{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458595Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.922{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0FEB-60E3-ED0B-00000000D301}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458594Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.922{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FEB-60E3-ED0B-00000000D301}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458593Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.923{D694AEB8-0FEB-60E3-ED0B-00000000D301}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458592Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.607{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF1F08D5D38E26620380AF79C78A38F9,SHA256=539630BB13F14871B12ADF585A68BEA5712542ABD0E960813D07DDEB713A0800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458591Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.407{D694AEB8-0FEB-60E3-EC0B-00000000D301}71565016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458590Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.260{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB76A28531B245F8D229B5D3EEB33D53,SHA256=925D9C0223C3C3CCE5E50ACD90EB6A4BD7AA9098206852B9E75B888BC775B873,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458589Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.259{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FEB-60E3-EC0B-00000000D301}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458588Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.257{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458587Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.257{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458586Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.257{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458585Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.257{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458584Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.257{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0FEB-60E3-EC0B-00000000D301}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458583Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.256{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FEB-60E3-EC0B-00000000D301}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458582Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.255{D694AEB8-0FEB-60E3-EC0B-00000000D301}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403508Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:03.001{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D792E0CAD2A4F338AC99ACF136E82B,SHA256=24BA49C090A733546C8DF86945ECBF981D284EA1F5820B8A74F7170DCAFF102F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458611Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:04.938{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C8C6790CB0B9AC49E4831EB537CA786,SHA256=FCDCCE6BC7D2B68CD2DCC27526E45604AC1B024546C0A8A4F9A9DB26AD0FC1E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458610Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:04.759{D694AEB8-0FEC-60E3-EE0B-00000000D301}33161568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458609Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:04.606{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0FEC-60E3-EE0B-00000000D301}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458608Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:04.606{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458607Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:04.606{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458606Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:04.606{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458605Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:04.606{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458604Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:04.606{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0FEC-60E3-EE0B-00000000D301}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458603Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:04.606{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0FEC-60E3-EE0B-00000000D301}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458602Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:04.607{D694AEB8-0FEC-60E3-EE0B-00000000D301}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458601Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:04.337{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F32EC4F7EA02AEB1FE14BD22E7BC6FE,SHA256=6543BC676981D32A0C3124F776C97129298952DF220CB20CE497B4224F14C56D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403510Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:03.305{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54253-false10.0.1.12-8000- 23542300x8000000000000000403509Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:04.032{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF794D645E01043D4DEED2C58FA287A,SHA256=CF3ECBDA142002910AE73913D838FD66B42C2245A448B8B1C774EC643F2A0981,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458614Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.651{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63285-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001458613Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:03.651{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63285-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001458612Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:05.358{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70247D75BAF9D35744E00372AD0EBC1E,SHA256=76DB178D38CE9FFA026F7688CA232068D4B603DFF225E832479F474752E2EFB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403511Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:05.032{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=329A2402A56495B340AAA25D4D75A01E,SHA256=0D1D97226F6703F390A2865D11627EEE024EFAFB155C70AF66DEF01BCCFA57F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458615Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:06.374{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75EE51DD93E24AE83B25A3E48001CA28,SHA256=1732B3AC325101EEA829301A2CCB6D603C6F510076E8C7BF574D6E508E9CFC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403512Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:06.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D914358644E93703E4EDF40EB5DC8AE8,SHA256=CF47FE22B9264F054BEF3343EF28040E5106417C60301962FC2ADD7D82726715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458617Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:07.388{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D26F3F5F676AC0A409CAB3B7D4BBDE,SHA256=9B4D50B81ADCD4E02D53BD7918EF01B644CF8AFBA229E519180C07D94B78C218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403513Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:07.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA35DE5E8B837DC188D3DEA307C1C554,SHA256=976CA4CAA4AEFE5A7122315C5EA35F2FE19AA1A1C1296309AC35140528413200,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458616Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:04.697{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458618Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:08.418{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FBA8500006F173D75DEEB315A1F477,SHA256=2FFCEA8446F04C2B10AB9C1857EB49BAB9B17D26BAD2D6FC0E237683D6FC3A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403514Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:08.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE21980B404C6E7D7883AFF49D24062,SHA256=7BB63AD9FDEF18EC69B5BB907970CE24ECD894D2DF70C74612B6EDB04A01844E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458619Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:09.451{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC455AD91D53A87F5DE7C80A2469FC8,SHA256=83914322EB4C4EEBB3A6B51D34DE6390B6D1A002B891C09F40C8D8008A779DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403515Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:09.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0262ACD5316CED87E711891504A378,SHA256=27C6551E03D28C0D502BD5414FD25A11581A7441DE6346E41BD304E57D09FD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458620Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:10.469{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4E6FF25A21406F6E4D47D6D4D77F8C,SHA256=F959EEF19CB202655995FF394DBCA5C629B27B3CCAEA54E12F14DF34FFC8027D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403517Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:09.321{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54254-false10.0.1.12-8000- 23542300x8000000000000000403516Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:10.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EA13EC9C241526C77403F4309448C9,SHA256=B664BFF1BDCC93DA18CE7847F29BF9D77189DDE24482D73F8AEEF76231A2974C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458621Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:11.483{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3FDEC6AA8F8DE9D0FD98F2F1A0D2224,SHA256=C7FAF7670005EEF73BD1F190CC3D1C5609085DB70ECCBFFA698F007FDD631453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403518Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:11.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4AC1C049B9217123F6EF5D53042B6B,SHA256=29258450E60DCD6B09C7F7CF0D4CA9B2E1D91ABBC279A53F1C302677F6DB8911,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458623Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:10.443{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63287-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458622Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:12.514{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FDCF6C7920B03DD808ABF2F502A439,SHA256=9EBFC0B256CC2ADD39233EB4FB2A4DF21D6E78E11ACA7B3773674635C68CEDE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403519Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:12.063{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1545792D91868BDEFB4CDA43149820B3,SHA256=4D2567C865F0A2A1076815DBA0C0312FB6E8B84CE710A45E232BADFEACA62F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458624Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:13.528{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9B215E0B3C7933EE3BD19768A63315,SHA256=887EA92852D948F6ED2D35CBC7B2A59B9150A7DD0D4B947874C7EFA13E2FFBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403520Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:13.063{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E614E0D0197A16BCF052302C682F45D,SHA256=7F50151E2D14E46FE37B297541A98FF293A394DC8D77A73800B28CF473A46F9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458625Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:14.580{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F17194CB7D9A8392AB2AF3AD010471D8,SHA256=6BE9B3A0ECEDC4D5B0A59D2DC47B8F0E3922EB7D4AF241F7A64B956FD40B0B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403521Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:14.079{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE4CCF0E47E98F4BA297CC938F46B0F,SHA256=E0F30009CEE00BCD86E71561BA70E64A4E0F4D943E03B75E4A17BC2629DB3326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458626Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:15.595{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6918F26B059B48B95C51D2F6161B17A,SHA256=FBF8D08A8194A2D518EC08801AC3D83C7231BE02206FC8D1EC5471DCCA8106AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403522Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:15.095{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3340D6A8B33C0855ED3130393E3412,SHA256=A5362128298049B99D6F714B123B7427E8AD87CD75D2FF4EA83AFFA34F5DFBDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458627Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:16.610{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22F80F33AE0B8DD61BCA133CE049DEF,SHA256=A34D0FC1B774BD248E804FECB2C2CF56A07D0A31E27064B057E3F0B24B565209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403523Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:16.095{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CF3881254A5A5893437DCF1AEED5F6,SHA256=BF083E72EECD2755C4ED0653E64967CB8D317D4A5DBD7D1C3A8D4FC6B9B6164A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458628Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:17.624{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57901514F96B4AFEDBF94B211ACF17C,SHA256=BB516871CB174122AB7DFE77B89C1F4E8412AC42AB65D57A6642D5B286DE4CEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403526Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:15.509{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse104.43.194.66-1024-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000403525Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:15.290{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54255-false10.0.1.12-8000- 23542300x8000000000000000403524Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:17.126{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E65F1F61D36910FCDB9281A27F76C78,SHA256=6ED9527FAFD08D5E30A4018B19E72C0592DED8897DF8FFEDBB6E07A1F7FAB93D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458631Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:18.676{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A3256D5062C71B9F05B34ACC46214A,SHA256=304E2713AAC9CBC64DF4729365C545A7CB623BE837C5A43DAC4EA0CC032E1911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403527Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:18.141{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011662DE0F35AFCAC54B7D6845076ACE,SHA256=A00C734D1B13A5F11380AE4CCE8F7E92E80C7E607803C1FB2FB92D3E8023E2A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458630Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:16.428{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.15WIN-HOST-88452922- 354300x80000000000000001458629Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:15.654{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63288-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458632Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:19.690{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2476ACD44A6DFE413A1CA804A1740190,SHA256=9D649F17A752EECB278C0A4A5F23EEDFF7F97A24D2B5868CFFC13F3E7E9F8A02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403529Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:17.212{7F1C7D0B-B3E4-60E2-1600-00000000D401}1300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9840:442:84cc:ffff-52922-truea00:10e:0:0:0:0:0:0-53domain 23542300x8000000000000000403528Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:19.235{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED91F2473C96B371C8BCE4DBEFD8234A,SHA256=31E4A4BD6888559B0094F694CFDF6BE0C0EC4075238983D0BE0A01C5A3936D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458633Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:20.705{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919E7DC44805537C394641BEDE688CF1,SHA256=D91172678AFFBCFE660B1F9C7A9FFE684AFB7B4684F6A75E618E8979B3196E59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403531Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:17.244{7F1C7D0B-B3E4-60E2-1600-00000000D401}1300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-884.eu-central-1.compute.internal52922-false10.0.1.14-53domain 23542300x8000000000000000403530Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:20.235{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AE4E7BAE0681B15BA3C999254C1D52,SHA256=CF883DE04C6B09FFCEC42A343F4BB97FDA662ED62DCE1F198C691DC4CEA89CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458634Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:21.720{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25014EC7FB5DE34F850FEF72AC587C24,SHA256=27511DE51FC50EEF346E455629A6151605708DF2F8103D2873C95C7BCD5F5C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403532Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:21.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462572A011F06A0BC402CB00D5BEF4FF,SHA256=DEB01C87F0F27734F67A75B2BC438C997B49DA0CF76232D46AABB0E16D1EDC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458635Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:22.736{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D26BC370AD584936401846B056ED61B,SHA256=A6D8012C9CC8780A5C8BEDE929FAE4CC8F74E031379F2EE16A5FDDA6B58984CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403534Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:21.290{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54256-false10.0.1.12-8000- 23542300x8000000000000000403533Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:22.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD346EE366B7DCB3F1CC521919C59CF,SHA256=9C8D5BC066EB563EBC3A8A9ED1FAF4EF0AD531E82F89F1D17DD1F347626F4733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458636Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:23.755{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8844068532D7AD76EFF05526A7558529,SHA256=A615E14E1EAAAE95E725D230270451844197FB772DFF575AD4ADDE1E3BC8CD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403535Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:23.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5A0592629F0E4241A0A6C9AE37C45E,SHA256=5D52BB700C12D546715FADECF9C19347DA366418D341B6B014D77FFC6A2241F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458638Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:24.769{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1920008B878D6D6789071131EDEE8476,SHA256=505B8F836418FBB9654C309FD483E9DA30DF34D93AD17DAD8FA4EFF83D60A9A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403537Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:23.572{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:884:baa:f5ff:fef0win-host-884546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000403536Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:24.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4962F61C07214146D47715FD869B2BC6,SHA256=C69B3F9C9AEFC812763C971B72169392FA97169A040DA9E83644870B1E9EC39B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458637Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:21.632{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458639Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:25.784{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0C3107E8374D7571C12674F55C12D9,SHA256=DEF5FBC18D3AA005F0727B22893F8F02337617AB8F187DB706A3205392A53D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403538Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:25.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8FD76825A373800B80C81A90174B3A,SHA256=F8D45CFB2346C98D2ED0E043739C2AE6F2BFB28B7F873734E7C341FA374B0B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458640Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:26.832{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7264C159A9CED5A9D9C307076F93B5FE,SHA256=716F5FC8AACA37BE79C6B86D975832B437E38F39FF9D866D556DBEFBA021D2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403540Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:26.438{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8DBD018C986C8638756955D0BEC070FB,SHA256=FF1DDB43DF72D968C42B8BD1A08B1441D031970CB79BEE15819295CD5B107B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403539Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:26.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF3EB57906F8F6CE4F1A29EA09D4998,SHA256=CE15DE99BA9910BF69224E2BA62E606B05EC6F3F1F8299334931CE19B64E3378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458641Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:27.850{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F978C552620AB44F819B545E314C26,SHA256=D22CD5E9A99F5A8AC95F8A0A15FE0E5D4DCCBA11A8C091294888FCFC48A1D511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403541Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:27.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530FD3A36FBCE738921869CF354FD62A,SHA256=2F8D95F6A57AC699473359DFC01D5E08B19FC21DCBFA04D8B23C6972A31AD19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458642Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:28.865{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF55197771E3AA6F6638B5D2FF219C5D,SHA256=8688B645D2DB979A10FFB99AF2643739374215AC76DC8E43B7C954939D78C85E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403542Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:28.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31643632FABBC81DA3F4C8CBC1BC0605,SHA256=BB716F751019E548810CB92B4EEC08DBF9000212148C4C5A1B826CE37CBE9B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458644Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:29.879{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A178075FD7ADBD09E036A215FBF50BF2,SHA256=EB5C677D897AA976E0E01956DABEB19867F28420CC426F30AAC235045097D168,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403544Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:27.290{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54257-false10.0.1.12-8000- 23542300x8000000000000000403543Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:29.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8F511FBC516A529D68637B46BBB609,SHA256=C1D42B7D6EF1592B5C3541BCBB6E37657B59DC03F28B6731CB93D4D66A8E75F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458643Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:27.609{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458645Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:30.894{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F69E2CA8C42E4CB033B3E8D5CA66A4B,SHA256=A373EDCF12A8D579248AFE892DD3E3F32120EDF77CC2F933B07671867C2A89F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403545Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:30.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9824AC6C4FC2C7D3C51AA3085B3740C0,SHA256=3F717CB3DFDD222C3A0E54B5E9A9541EF7C37AA460F5046773B9D6E7CEB1FE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458647Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:31.927{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F41DAE956DCC70007B7C99A5A65163C,SHA256=D6A99A3ED3C9BCACFBDF5F88205832A39D04F26DFE15A781791494169108741A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403547Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:31.751{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403546Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:31.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED67C890821121C0FF0DF350A43F93C,SHA256=59829583FD98908D8A8FBD14855EF2056F0DB96441A007866CC80C2728D6F1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458646Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:31.163{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458648Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:32.945{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2D581A279A7E3CE1827608426E8AA9,SHA256=A5ABEF6D4A8099A1222E85C0EC5FEB2A96399A01AEC530A92B5E8A17C976EC5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403549Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:31.962{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54258-false10.0.1.12-8089- 23542300x8000000000000000403548Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:32.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39788CCF4293D0BA50B4C9F6EF632E12,SHA256=E26647F3D096F1363724C5865CEFB8DA30F34E8E8EFC6603CCD96A0438A6CEEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458660Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:33.975{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB9DBB5AFC365489566E39AE688DCDB,SHA256=B0809FFF8E5F5BC12A5AC379109D4F54F4C4201C8C5308D782D3ECA082836DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403550Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:33.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A891CCEB77AA2ABE0CCDBB745B0A09,SHA256=E47E4A688FD5364803DCE319F1D69DC6A0047A23A0237D8E35B807C42309BC5E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001458659Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:58:33.423{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001458658Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:58:33.423{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0167eef1) 13241300x80000000000000001458657Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:58:33.423{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719d-0x757feac9) 13241300x80000000000000001458656Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:58:33.423{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a5-0xd74452c9) 13241300x80000000000000001458655Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:58:33.423{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ae-0x3908bac9) 13241300x80000000000000001458654Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:58:33.423{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001458653Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:58:33.423{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0167eef1) 13241300x80000000000000001458652Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:58:33.423{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719d-0x757feac9) 13241300x80000000000000001458651Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:58:33.423{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a5-0xd74452c9) 13241300x80000000000000001458650Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:58:33.423{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ae-0x3908bac9) 354300x80000000000000001458649Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:30.591{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001458662Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:34.990{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC7B45385CA322AB79CCBBBCE6426F5,SHA256=154B3466D97FE731C76A0C18A6E52E48ABEC60B7C2F557A2B1CF9693EA2C8EB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403564Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403563Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403562Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403561Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403560Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403559Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403558Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403557Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403556Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403555Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.610{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-100A-60E3-560B-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403554Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.610{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-100A-60E3-560B-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403553Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.610{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-100A-60E3-560B-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403552Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.611{7F1C7D0B-100A-60E3-560B-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403551Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:34.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA274A6BCFB82EEAE2C67D857F0305DD,SHA256=EB51DE5BD0032C8F6FF57A2C69006B15C0BEA91CAEC097BB49557A6307350FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458661Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:34.206{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=757B9835D9717E4282B7F48B96440B43,SHA256=4DEF1F561D2A6C36DE3B6C6D941162E52250BDB5BC9709AE26BFF6486473FB1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403595Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.766{7F1C7D0B-100B-60E3-580B-00000000D401}31603364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000403594Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB33397929452556EE955F1B7921FF84,SHA256=71FE0827FBE71DAB0E6604B80B34329B77BCC4136D7F3E18AB84FEB35EB2AC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403593Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=384CAB9E59C87C95468856CACC6E2ED0,SHA256=694AFB174EAC4F491731411608DB6FD1AC635494D2D7353585BD73C073375205,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403592Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.610{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-100B-60E3-580B-00000000D401}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403591Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403590Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403589Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403588Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403587Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403586Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403585Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403584Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403583Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.610{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403582Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.610{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-100B-60E3-580B-00000000D401}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403581Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.610{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-100B-60E3-580B-00000000D401}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403580Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.611{7F1C7D0B-100B-60E3-580B-00000000D401}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403579Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.282{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32279E77682FAB3147FF134310D1C725,SHA256=23D3DF6E548BECD50D945440ABD297C8EC678082F1A298A987EE26A013A1CE21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403578Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.110{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-100B-60E3-570B-00000000D401}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403577Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.110{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403576Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.110{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403575Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.110{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403574Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.110{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403573Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.110{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403572Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.110{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403571Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.110{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403570Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.110{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403569Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.110{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403568Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.110{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-100B-60E3-570B-00000000D401}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403567Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.110{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-100B-60E3-570B-00000000D401}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403566Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:35.111{7F1C7D0B-100B-60E3-570B-00000000D401}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000403565Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:33.306{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54259-false10.0.1.12-8000- 23542300x8000000000000000403596Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:36.282{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9704D5CD24877A3E0478CFB6393203FA,SHA256=F53D87A743F5CCD4AAB77A5C994C1AE2276986002882F74A46351C9842E7DB1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458664Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:33.619{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458663Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:36.023{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26CAA5BD2A741E469B843EC55CAA1A5,SHA256=D9C6C50B9C0F4A3F42873BBF3F6D4F929E3B06A8401D822F44788BCE1D9529DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403597Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:37.282{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41BD4CCF6378B692B11605642979165,SHA256=52A3660ABB67B714E28AC1DF42A791D6FB9B66022E330B1B9205416932970030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458665Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:37.040{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E68B1556BABCC8D1F52A92D050CB9B,SHA256=ACE63617713D3D30842A99D6A10C8EC491E31EA8E5FF71D23048B2B1379FD812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458666Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:38.055{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70697EA165155AEBB174BD6BE4E93FAE,SHA256=270F6F4555010D6AC2823C7053B2D82F6DAA7B0BD709FD74B04FC5FF86117C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403598Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:38.313{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B037E4F26EB6D741526FEFB9E1D817,SHA256=F2ABD75723A3CE1FAB6CA40672E18A0DF5667F81AEE32996DE5B75F9D2C18418,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403626Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.907{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-100F-60E3-5A0B-00000000D401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403625Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.907{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403624Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.907{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403623Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.907{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-100F-60E3-5A0B-00000000D401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403622Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.907{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403621Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.907{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403620Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.907{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403619Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.907{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403618Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.907{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403617Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.907{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403616Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.907{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403615Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.907{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-100F-60E3-5A0B-00000000D401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403614Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.908{7F1C7D0B-100F-60E3-5A0B-00000000D401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000403613Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.407{7F1C7D0B-100F-60E3-590B-00000000D401}33801956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000403612Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.345{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B5D09A32416027A955930E50541C47,SHA256=8A6793D482F1369F45967D621AEE02AB6D7F0A65FA8054CC9A6A29045FA93917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458667Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:39.069{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A9CA6D94A05E954273774AB9CC82E9,SHA256=E186773293336E50C6CA870859A2201ABFD49F8D69E6F3F674F525B53480DB19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403611Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.235{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-100F-60E3-590B-00000000D401}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403610Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403609Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403608Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403607Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403606Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403605Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403604Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403603Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403602Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.235{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403601Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.235{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-100F-60E3-590B-00000000D401}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403600Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.235{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-100F-60E3-590B-00000000D401}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403599Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.236{7F1C7D0B-100F-60E3-590B-00000000D401}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000403642Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.579{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1010-60E3-5B0B-00000000D401}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403641Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403640Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403639Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403638Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403637Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403636Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403635Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403634Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403633Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.579{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403632Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.579{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-1010-60E3-5B0B-00000000D401}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403631Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.579{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1010-60E3-5B0B-00000000D401}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403630Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.580{7F1C7D0B-1010-60E3-5B0B-00000000D401}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403629Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.485{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759BFBD7997AB372A79B975205776470,SHA256=5A49C724256BE66DB056183E8222BE4B534BF7C5A90B259B1AB6AB12F3277307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458670Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:40.684{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21281D6598A29EAFB297A5397EAFD004,SHA256=02FA2042847B4145744A73C3767DA0AF5B493416783177D83CFAF58314005E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458669Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:40.684{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DBB3D10168303FCE703BE860B0543BF,SHA256=F584EC50DD34508212E2D933F92910803F1FC78EEC900D174499B157CE6F1B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458668Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:40.100{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEB1BE025E0EA259BED40A3847BC7E74,SHA256=AF454AEF39DA13D385B7FA263C970A2487FD100A6F5B1A1A1F6BD14E7C42E918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403628Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.251{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB33397929452556EE955F1B7921FF84,SHA256=71FE0827FBE71DAB0E6604B80B34329B77BCC4136D7F3E18AB84FEB35EB2AC7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403627Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:40.063{7F1C7D0B-100F-60E3-5A0B-00000000D401}18882536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000403660Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEBFAC9C6241C99043225A80BED149A0,SHA256=8DBF1328F99B98F605A61D9C7288F140A728E20928B8E4970F154C7AB1B2CF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403659Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25F7AA671476F05ADE9A7A9BCA3800D,SHA256=A6095ADB0B2BDE72BE83758072B1777D8E7E6347791363F2B8090C01E146FB67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458672Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:39.628{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458671Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:41.118{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33E50D8296C70B00EE7EE3408B3A4DE,SHA256=BDDFF6B5BD54D057466A5F04917C20EA8639020094044B071B183E4D355B2823,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403658Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.423{7F1C7D0B-1011-60E3-5C0B-00000000D401}18001280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000403657Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.893{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-57151-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000403656Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:39.321{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54260-false10.0.1.12-8000- 10341000x8000000000000000403655Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.251{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1011-60E3-5C0B-00000000D401}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403654Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403653Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.251{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-1011-60E3-5C0B-00000000D401}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403652Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403651Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403650Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403649Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403648Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403647Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403646Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403645Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.251{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403644Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.251{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1011-60E3-5C0B-00000000D401}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403643Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:41.252{7F1C7D0B-1011-60E3-5C0B-00000000D401}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403661Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:42.954{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91FBEDF9A7A2C81B98E0644B5B36F85,SHA256=8ABAEC149124E817586AE09893801822D6532E46ABE1A6DDD6A7797ED36DA8A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458673Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:42.135{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26120BE917639798F7F03F7BC28C367C,SHA256=1618CED5BEEC7963307DBC10CA93844D7C6A9E193D4025A978B7C1AC6AE9D30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403662Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:43.954{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2780FEC100294B81F838D1B027786FDE,SHA256=EE3D7FEE4806860469714E3A7967591D5A4F1F6D5C3B855330BA92627A6BC875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458674Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:43.152{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9922F43A1A1F1C85F38827DD77C49E,SHA256=FA6C9544F019F834C925727330346BBB3ACBA4D4CA358993683CB619C394B804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403663Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:44.985{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6407CE26160DA789456E198D0BADB9D2,SHA256=200B0E1A98B64BA186FACD3BDE2A2087042B02DCF9439636D7B26DFA91392445,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458678Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:44.267{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001458677Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:44.267{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458676Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:44.267{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF168194d.TMPMD5=919ED2825C4A4BDE663AD9667A5FF39D,SHA256=D678DD1D213D56000B1DC130EB771A2956EF5AEB8342955305D734169A4F7A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458675Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:44.167{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC240CBE20951347C96DF40677256CCB,SHA256=C6DC5E6B09E4BEF32DACE2BFBC04952668265566A713485C0843AC7108D88FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458679Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:45.197{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C292B6176778D0CCCF4F001A4F044899,SHA256=977C9077C35712B949B7A137DBA5079AC5D51ED753BE7EA9F56D3D595180EEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458680Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:46.250{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFF37794F19801011547E381CE27BEC,SHA256=FA0FBC00EB53C7697AB7917055DEA6E7A6A25A706016631B868893B6BDE28363,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403665Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:45.337{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54261-false10.0.1.12-8000- 23542300x8000000000000000403664Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:46.141{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF311D86517A3C54FCA428B504642AE0,SHA256=8BF80BDED800D4C5929FBA048AA8D61C51DD89B667CFAD691F84F4C0E62F1FD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458682Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:45.641{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458681Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:47.281{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3210E97A34ECF55048E3DD208DF86183,SHA256=836A70658CC29D4361BC7BA620EEEAD7853B5E6A4690A9F8485A466BA1B0B4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403666Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:47.141{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5A452E0ADB2C38687EBE42E101C261,SHA256=23973F570A6E187FE290A5A3273FF01E5174F62D3DE2F981EC7DCC39E4383636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458683Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:48.295{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0781C17E02D6D106F96016A1DC4A455,SHA256=0EB7434B66F3594E3B447BAA2CBB7613C7DD131D84A11C9D3CFB5314ADBB5048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403667Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:48.220{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B0B87FBAFB58A98FB534AC2D676D82,SHA256=A4062D95C60FBCD02558267B53731ADC59BE8BEDC4C0F409E3CBC3D76AECFF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403670Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:49.267{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6539B22914A7515EE04CA70A365D801F,SHA256=525EFA5D6EC7F421854D61AC8A9829A04E509B07AEC4D4CDEE607BAD4F9DB418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458684Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:49.314{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E880DB5F2E4C7E0E13ED3DDD8BFDA044,SHA256=6A8EF22B5B9B6B88D9E6FA80E2C60AE61408B3D1A83A58B2665E1AE58992F037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403669Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:49.001{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51B8914F5ACAF773A1E69549A486F226,SHA256=DB807DA82FD5A8FE57E0A37EA81EF8F0D8C354361E2BE3F96FDDE3D26B69CFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403668Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:49.001{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=271D5E74A3911880D3DD1959134FA18C,SHA256=3410C910010BFE4BA25457B86C6E0C9C1F8AB4192CCF51BE4005460C486856FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403672Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:50.282{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23280874107B0E87C5A0C4AC49D6FC22,SHA256=8B1A350C3D72598A670D7A06E0BCA749B9A1180E1E23F169E54D491A61594A1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458685Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:50.330{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF50AFBD5E26CD3DD8B9D078B002C4C4,SHA256=79D7E8BDCFAD04D06AAAE3A16E419CA402CFB1D6CFDAA943FE226E2AF24BC58D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403671Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:47.987{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-62248-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000403673Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:51.298{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57495781E7E17ACFDE2EFEC53892406,SHA256=C050E4DA16F566BE1325EC5FF66ED0042F609F6F5A2F094D597A9AB60FF5849D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458686Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:51.392{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18216DD5D6C897DA9118ACD495942B94,SHA256=F062D2B8788664169FC0069DA3EFB86EB2C4A877199FE7FDAD26D4C59D4661CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458687Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:52.408{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9856E7E04E5F8F362F29D8E94C9F82BF,SHA256=2B17320D4216FA2549BD6E71A999B2C684EC8837D162FA1D80D76BDC3470101F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403674Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:52.313{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9068310D870F077A8FD2D6DFA86379F,SHA256=394AFDE8BD7DB5937FC9100CB999BD5FE2C48E5F7A27B83ED290B1D1532C889B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458688Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:53.427{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FFEFD399AD988DD9E6E2BD3CE1A791,SHA256=D954F3FEF54A0F4B1F9B73816DF560BA6BC4E1162582ADFF84824390AF7C3F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403676Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:53.313{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD2D75AAC8EDF6351139A752965AB69,SHA256=E476D6350CBF421D813B66747745D9393E878C31ED7DDCE6E7FA1D5EA5464A31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403675Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:51.306{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54262-false10.0.1.12-8000- 23542300x80000000000000001458690Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:54.457{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6F56EA473D2CABD99A7FBD763D6A9F,SHA256=B7A2DCEE73B7AEA73A2BD55E7D3CE6306145C2D513562A433BD3B4B59BA7EDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403677Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:54.329{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657D723FFAF9408D3228C61E3BD33EA9,SHA256=454253211DCEBB19532CDF51C34CED60100BDA1A3B11B20FD0F9C15A48E3BC41,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458689Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:51.634{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000403678Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:55.345{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D407BCABC356DFE7F507478E84B4EFDB,SHA256=CF6689EC205214B9829E3BA4C22CDDB8BAD4C7EAB8DE672E7ED5B697CE2F8D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458691Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:55.472{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C63A7AE8C4FC9F5161D431BC70BD99,SHA256=46EE7E36DF7B9998936CAF3EF01DCC96A101DE07E5AADAE23FD3E97BA225FBC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403679Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:56.501{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E577360EDE6AE8BF47A759D9697E96,SHA256=F179B609C14254323A69637F678597EFDF5BF3DE6DD68C2DA4A3251A2FB8C3CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458692Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:56.486{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E461AF8846CA5B9F51A2BE19B39A220,SHA256=CDA51C43BFF3B20B3E9060628A953701E6A8CEB01D77E1E197F32EE17402FF37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403680Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:57.516{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F02018FD5326BC0A1EE42AA258924B1,SHA256=F0861CE160442C67AA0D859E2CA175EB7D889F4F872B6E06803D66FB57A2FD65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458693Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:57.503{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080FFDB4E1A973D62CA1F1C70E6C7A62,SHA256=11309B9F30244DB4DF55A4A39224651EEE783FE3A9D09CF99776DE337622C73B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458703Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:58.968{D694AEB8-1022-60E3-EF0B-00000000D301}46802116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458702Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:58.805{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-1022-60E3-EF0B-00000000D301}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458701Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:58.804{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458700Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:58.804{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458699Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:58.803{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458698Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:58.803{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458697Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:58.803{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-1022-60E3-EF0B-00000000D301}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458696Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:58.803{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-1022-60E3-EF0B-00000000D301}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458695Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:58.801{D694AEB8-1022-60E3-EF0B-00000000D301}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458694Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:58.521{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F324B746EBE8850F69DAED7579C9D5F7,SHA256=F061416082911FE7DA310800F7BEA89962543167AFAD11B4509EAD82115498DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403681Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:58.518{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97AEE3F3A2226D319E144B5CDD9723F,SHA256=C71B56D40E1382C25D3F89580D05F14F49B64E44263649EEB26DC7E61D1CF085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458714Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:59.852{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FA929B97674B58118303B1D8919B4B3,SHA256=836AB6ED410286EA2EC52C302A95E02C5F2FA9F674C0A8E4AA583A64A6A988BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458713Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:59.852{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21281D6598A29EAFB297A5397EAFD004,SHA256=02FA2042847B4145744A73C3767DA0AF5B493416783177D83CFAF58314005E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458712Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:59.536{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8174892B68761154F48DD529B7AEB84D,SHA256=BB8869EE913A51B58ADB54F58A70A3E22474350E716C010D3E6C7E70F3215691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403683Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:59.531{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4F46D4B6948B107E716BA7F1BCD8A7,SHA256=67420FB0CFDBA08EACADD760D5B1D2A543FDB0F6B669E324EE1E69481E2D3A1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458711Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:59.483{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-1023-60E3-F00B-00000000D301}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458710Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:59.483{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458709Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:59.483{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458708Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:59.483{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458707Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:59.483{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458706Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:59.483{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-1023-60E3-F00B-00000000D301}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458705Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:59.483{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-1023-60E3-F00B-00000000D301}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458704Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:59.484{D694AEB8-1023-60E3-F00B-00000000D301}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000403682Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:58:57.321{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54263-false10.0.1.12-8000- 23542300x8000000000000000403684Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:00.533{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91D69B12D9D0B3B8ABC672EE25540E8,SHA256=6DB375C3ACCD9E62E0A7DCE54E23E3BA32B93E4BA704D0307999C375DF1FF961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458724Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:00.536{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C656AEFE6314081165E839A09D4DE5D,SHA256=C9C1136F1FAE2ABFC996FD038CF72309ECFBC469E2793182A05EFC0AF50AA122,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458723Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:58:57.643{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001458722Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:00.151{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-1024-60E3-F10B-00000000D301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458721Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:00.151{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458720Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:00.151{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458719Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:00.151{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458718Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:00.151{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458717Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:00.151{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-1024-60E3-F10B-00000000D301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458716Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:00.151{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-1024-60E3-F10B-00000000D301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458715Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:00.152{D694AEB8-1024-60E3-F10B-00000000D301}6844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403685Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:01.549{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A25C5F472BB6EC310FA20BFCC90B44,SHA256=ACC5ABAC2969C010962B6DB50956BDD814F3C229564DF4873DF3F222C20B6230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458726Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:01.551{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F96588B2BF2192830CF5F1899E026D,SHA256=0740B776DFBB3EF560E742323BFE36ED39789C352E3B6EB03BD94986F6567B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458725Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:01.201{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FA929B97674B58118303B1D8919B4B3,SHA256=836AB6ED410286EA2EC52C302A95E02C5F2FA9F674C0A8E4AA583A64A6A988BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458736Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:02.734{D694AEB8-1026-60E3-F20B-00000000D301}5428108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458735Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:02.601{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-1026-60E3-F20B-00000000D301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458734Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:02.600{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458733Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:02.600{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458732Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:02.599{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458731Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:02.599{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458730Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:02.599{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-1026-60E3-F20B-00000000D301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458729Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:02.599{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-1026-60E3-F20B-00000000D301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458728Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:02.598{D694AEB8-1026-60E3-F20B-00000000D301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458727Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:02.566{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E912D705EC56594CA1F6E5A3E1FA67,SHA256=19EA30432EBF06C9A2E47FC3E9F9C94E3B8B9134DCEEA8367CB158C44C472663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403686Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:02.565{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD29C449D916FBBE6E6DE0A5725DD67,SHA256=4E4D249E72E5D1D062170C8B7D9D526D59AA54D7C2FC86F4E20179C5783A5360,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458756Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.950{D694AEB8-1027-60E3-F40B-00000000D301}53286348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458755Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.803{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-1027-60E3-F40B-00000000D301}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458754Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.802{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458753Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.802{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458752Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.802{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458751Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.802{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458750Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.801{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-1027-60E3-F40B-00000000D301}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458749Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.801{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-1027-60E3-F40B-00000000D301}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458748Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.799{D694AEB8-1027-60E3-F40B-00000000D301}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458747Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.620{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78F646E4612810452F69165DB007B0EB,SHA256=C75577FC0B92269BA9E9FFD7285AA8CD35A60E305F6D93B6E2F158BD02D49D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458746Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.582{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53B3D612AAF5B7599C619837BD539F4,SHA256=D7C4648AA52B13DACB233E159309BD360DCFF13DC53BF7D5E2DC315FE180300A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403687Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:03.580{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A757B5FB2E135445B7012E94519A98,SHA256=BE6470C05E0AFA068E49AC4480AFDC9051B507C73670559013DCB8F38F044333,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458745Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.319{D694AEB8-1027-60E3-F30B-00000000D301}57404996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458744Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.181{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-1027-60E3-F30B-00000000D301}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458743Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.181{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458742Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.181{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458741Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.181{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458740Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.181{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458739Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.181{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-1027-60E3-F30B-00000000D301}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458738Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.181{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-1027-60E3-F30B-00000000D301}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458737Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.182{D694AEB8-1027-60E3-F30B-00000000D301}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458766Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:04.866{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E4F6D0C4B4FD9303D55279BD59A0377,SHA256=4770121A0216B2F94C242F27125DA8794C9D32D6B7C1F7BD09377D04E4E24AFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458765Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:04.603{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7452C58128A71AA483714925B898669A,SHA256=976A6989B42A42065A7D3D86D2F918F58985C39E69CF928ED19984366C6919E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403688Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:04.596{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B0E4063494B0AAA7C9F0E4C035CFE1,SHA256=59CC42420C92F90F26D049EB6E710DBB6C678C68F6545D6912CAFA1E4BF3D606,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458764Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:04.481{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-1028-60E3-F50B-00000000D301}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458763Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:04.481{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458762Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:04.481{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458761Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:04.481{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458760Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:04.481{D694AEB8-B3EA-60E2-0C00-00000000D301}8602180C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458759Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:04.481{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-1028-60E3-F50B-00000000D301}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458758Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:04.481{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-1028-60E3-F50B-00000000D301}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458757Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:04.482{D694AEB8-1028-60E3-F50B-00000000D301}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458767Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:05.649{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE3D5060929D6DA9FD8145AEAC0D2E2,SHA256=CC3D2864C3090884E0ED3C86CC6722A814317568B4F92DC6C3C5D23ACB39361E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403690Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:03.292{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54264-false10.0.1.12-8000- 23542300x8000000000000000403689Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:05.627{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5979DD52A2F5E768872B6DE3AA5A6B9B,SHA256=84451EDDC934EB14773592F5223178B72F128A1789B62AC9DA962DF22E32C06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403691Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:06.815{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41191853EEF9F15DABE29FDFB0A2A00,SHA256=101FC456BAA86EB669F85030DD9D9CE5FBC781E556FF1269C675EBA4E188E187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458771Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:06.649{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD65C64821D6376B7330425D1CA6880,SHA256=927832B0E933092E2A9F8B73AB37EF3EA00198A7863FED676C43C9340424945D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458770Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.663{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63298-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001458769Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.663{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63298-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001458768Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:03.625{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458772Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:07.665{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D9F8B0D002A2B739B5EC81F13CAA6A,SHA256=AAA2A70A5A787409EC916766275FA1BCBBFF6385EFC5546AD2A4968AB7812A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403692Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:07.815{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECBE4956C68869B65889B6CE0D3FFF3A,SHA256=CCCAEE9772F49FC326D6118D1BCBF734F175267F24D668038321A2F7F04AEF6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458773Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:08.680{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0B679460E56B7250761091B25A96EC,SHA256=4AFA2636B5EC94D92D9B72140A587CDD1D3E18349B309A613519FE0CB66A7A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403693Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:08.830{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4A446F0CFB75DCB6BD2EDA66AC767D,SHA256=8ED9C4FA74EEEA48A89504FCCCAD5ACC1A9E7219A4A3D257C034C5C67F375A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403694Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:09.830{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A0FB704C9D93728DC73276103AC9ED,SHA256=6C6AB45A3228AB4E74A2AD82542B92886CE958E20F7C25A4AC6C32DD6F3FB3EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458774Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:09.717{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF2D405CA18E1AE16812FD805F58158,SHA256=45922253D247FEF8EA8C8ECFCA95D02C0A57991346EE317EC7A8B21DDAB280F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403695Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:10.830{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE0CF7BD2D97048193AE922EE10D055,SHA256=D4115DB14521FB5D37D59A298E1B3F415E98CF3FFEB4FD5045D1F1BDD13FAFEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458775Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:10.763{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71705456B80840996064107D2DC9870F,SHA256=3C661F08C4015CB03A2EC354C47510FA45F4E7D25C6136CC3DFEA815288977A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403696Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:11.830{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B41F1993FB6DBC3569CF94ECC854639,SHA256=E8039BEA4CFCB94DFBAE10D279D67275B011C18528940A20EC7528EDE15E28AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458777Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:11.777{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A278241CB57E027BAAB38342607CF1BB,SHA256=EADF92D355A72B192A39E270CEEFC3C56A8BA60F48EA93B016291304D776859A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458776Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:09.638{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63299-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000403698Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:12.830{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D8584FE59CAB5D49DC9D12849759E7,SHA256=17C5AD1429AC0EDCE9E70511D8764C9EE633D8B503238E42F0E9108E558303F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458778Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:12.794{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8946E391A4E4213B608057AD13B37242,SHA256=C4D77591FFBEE598C16C515F832FC39F0981027B1632B8FFD91631D20C0360FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403697Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:09.260{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54265-false10.0.1.12-8000- 23542300x8000000000000000403699Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:13.830{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C540F442B149AD8FD85AA1DA69A0C8C9,SHA256=1690A5EFF30D6C6CBEF51AE0EAE13DD11787E5E4F38EDD693F7FDBA7FCAE77DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458779Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:13.813{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744D6E903CB54A81B1D7F1EA3D84924D,SHA256=E143B6C6F97C3EE7F6D7909BB04EE1CBC6855970E20110C60E4FB8957C438E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403700Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:14.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A994E5772F914E46EBA9166A22103ACC,SHA256=276478514B09783DB6555516CC566E65294BF8B339B246BCAF702B3FD4CC9233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458780Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:14.827{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD4D0BFFD1E6B51F8744B950DA3BADF,SHA256=8B433DE9EC28358DA48B5FF2CB00E41F4E79F31B6D1E520E82F50BAED22375EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403701Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:15.971{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A12B795CC05804F26E9F37BD6A31127,SHA256=A15D38BAC101B9409ECBB3D88495D45BADE7140BB215C2E871EED7D267492E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458781Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:15.842{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4DD87DA41426D6BA2B563BE577C752,SHA256=0668E9088CA70E393B181E58136FDE450D1263D14E502E5368AC79FCD883126E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403703Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:16.971{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E592DC397E2CD14CD43C3381F63B6129,SHA256=172DC64F5BD5F30800AC64B605EE1C6910182EF15585D7D359380DEA36AB3E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458782Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:16.856{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620A0EC096282CE9B9059AAD511E4D8E,SHA256=B574FED260B6C51376A47357F3BAA95CD204BFF4D004FBA93BB4D57D891999C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403702Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:14.464{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54266-false10.0.1.12-8000- 23542300x8000000000000000403704Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:17.971{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2D6D3C902D147BC90ED18B55393A30,SHA256=643B338DE5D0AD290893BEB0192B895012E91F9343D7F97BCF35A3435660DA47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458783Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:17.873{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA1DF54C7DE56C580C14E8F75A3F164,SHA256=A622D538D67BD4AC9A6CC7D15368F96B217F50969CC78F459BC524F4D245A6DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458785Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:18.890{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67791BD41164168B65E2321B6C384BE9,SHA256=27D3A328ED8BABAECFA4ED161FCD2437F227BE4FAC237443012FB0FE51ACCAFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458784Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:15.616{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63300-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458786Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:19.908{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD670FB354986D67FA1C134AA749F85,SHA256=B8BF4A40D2548682D14E748D79ADE46C559E6EFC7601E2F50DC8BA08E725D38D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403705Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:19.112{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E003DC597E36A49683352EA3AAD9598B,SHA256=0CF6591165A4C5F817DEB11682E78CBC8B6093DBE49892BE9D122241517B8A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403706Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:20.112{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1269459E5820821B5FA4B880AFFA3E3A,SHA256=7A634CCEB80A56FF57B3BB4BD7EB1A04A0ADD6C5D55A4E627FC026844C4F0A64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403708Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:20.448{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54267-false10.0.1.12-8000- 23542300x8000000000000000403707Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:21.268{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFB647A08B261D4BD852C1AB61589E2,SHA256=C014F6DB838F8E95C0A3ECB3FF75954541BE30FFAC3BE80FA3C17C5BAB93F4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458787Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:21.038{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B230835DC4F69C1C6E13DE9BBBB084,SHA256=39B6F48F6225B5A7B1E4E663D1A2D9ACFEAD0CFC14DA64D1E8634301F1CE3F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403709Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:22.377{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A13E7F995C7073A297CCC780528A17,SHA256=8555E7EDE8743BAE9521B7E4B0B4D6A2BA9862F7F63752C2075BECC6136C5336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458788Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:22.153{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A299AA9BEBE399CEDC9B0BBC0E7542E5,SHA256=80895E494334A10E5435DE50A13108F09262DE85A1B239F72FC7C4178D2B7961,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458790Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:21.628{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63301-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458789Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:23.186{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC09C0731055459AB99FE232DCF13DBD,SHA256=43B7ADA4F44A578AF98F7E2731AC3467BE70BEB7955C17D5503A23C5B1C34208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403710Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:23.377{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE437582BD7513A88D5EDD7B87C37EE3,SHA256=03FDEB74840E78FF1F3BBA07BD05EBF06D2A4E9AC39292B01DD8B964A195D349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458824Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.635{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B8EE24012D1FBBC40D8E7119FC54FA,SHA256=F45BD13B07094B7C06EF23308EDDCE888CA5087A71515CDE10AD97BBDEC337E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403711Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:24.377{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592B438F26BA78E175B726032BDE62C6,SHA256=A1C53C4828069343D77C90396F021533B4C7E0120A2C9A32575FFD1AF749B111,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458823Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458822Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458821Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458820Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458819Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458818Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458817Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458816Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458815Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458814Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458813Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458812Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458811Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458810Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458809Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458808Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458807Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458806Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458805Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458804Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458803Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458802Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458801Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458800Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458799Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458798Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458797Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458796Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458795Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458794Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458793Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458792Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458791Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:24.020{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458825Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:25.649{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DFD745858465445DC05EA7E66E3F08,SHA256=A07177778E8A96649A2A7255D70BB92F93200DC7996E5AB4BBBAF1771C1E8948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403712Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:25.377{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C66770896B2E29D192A821723F16E88,SHA256=54492894200D2916D68DBB22CC0C2932B3A77E3D01EB7902602DA9D97229DFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458826Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:26.682{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05189F1F6EC4FEAD29D793BE8654DC7,SHA256=876365AC75C58B5EF41C657BC89589DE89E4BD87033AFA05C77B9DE9743885EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403714Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:26.440{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A2953627CE2A58F3CCD2AC25F16D3D95,SHA256=0407ECE570DB3EAB6E45E412CA5C952D20C40FBA12F6EA87AB65D17FB65B1160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403713Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:26.377{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DF3E520771AF164B9337183BA0703A,SHA256=D6825BC1DA21C799415930F9699CFF74DABC9DF3CA044E1181E767BAE40CF651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458827Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:27.684{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079B83A8F9F6E6B98D5B19E09EFB6DC6,SHA256=26F246C776430424B1B3CEE9D640F4C343F2CD46A201F554466BDF666A9D4EAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403716Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:26.386{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54268-false10.0.1.12-8000- 23542300x8000000000000000403715Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:27.377{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F3DE6A7CA2BFED57511EE367E97F9F,SHA256=DED556E4F6723F5FA07617616A0AEE0B3450ABFF0DF9689548AE4BD4FB29BCAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458828Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:28.718{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD3C02AA38C2EECE89BDAB1762FEDDA,SHA256=6A5B6C96C0BB0E48E366F0D47E36A39739C7BDCCE01280E7D79A55354C7D7FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403717Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:28.377{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7DD7CCB1AF124070B4E6A014A60688,SHA256=74B340F89CED82A7EC436A929BE7445D081CE108D81B746DE85266A1E45407E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458829Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:29.748{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=283C9483F1205DF747BBDAE80B4B7FD4,SHA256=92ADBD4A0F1BD2AE7E8757DBF9CDCA91100F501C428A090B740144CA304C930F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403718Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:29.377{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC81E2DFF477B2E73255B2A57130D107,SHA256=48C2C7B189DB6F2B5B1A73C483A5263A485DC1EFFBD013558D618728042CA5CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458831Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:27.625{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458830Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:30.763{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92DEC52AFC352C40479F59406E54A8E,SHA256=15A89F6CB57E7D3B66079DF99972BB27B3795E8C667440A61012B976F9C0FE75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403719Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:30.393{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5CC15048AC57FBA72903D1F9F9511B,SHA256=D3B183FC502EDFFFEEBB2BAFBE08CED2820934B9ED753EF929C1926252FD5A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458833Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:31.780{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17066A79A8ABDB1A88624E74139E908E,SHA256=2ED8C712D899C98E89239FC592FD2F91B96C571E8BEEBA84F40DC3EAE9C324C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403721Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:31.768{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403720Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:31.440{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668486780E0FC17A2F4694F34BFC1C45,SHA256=156F6897B5EFEDE145835677704B6F1EE5834CF2E351BAE37E76BCFAE004C7D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458832Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:31.199{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458835Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:30.621{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001458834Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:32.813{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962A910D749220E9DD49A6E21C5D8235,SHA256=BE01EC96B7C004B7EDA1FFA488D28EE734EEE54FFCE3325357B40291421E47A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403722Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:32.455{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C24D5AAF99BF1777471BC8F9D2433B7,SHA256=4B7777C2000D0121C9F1FFACA44B337491BBEA910612A66CD72862E419C6530D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458836Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:33.827{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4480CC012E845F87BB9BFFD9054EB6,SHA256=0307A2797ADD6BBCB737B9A02B1D5205D507FE9C1B4B8045E07CB1BBF9E20D05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403725Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:32.386{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54270-false10.0.1.12-8000- 354300x8000000000000000403724Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:31.980{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54269-false10.0.1.12-8089- 23542300x8000000000000000403723Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:33.471{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2309D00922B7FD8EBF4B8C6244DF703F,SHA256=7660ED16AE05BE99B8B87C656CF249D9F8F62297E679156AF19D01E936CCB75F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403739Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.518{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCBD32181C002F12A8C42146F03C096E,SHA256=CA8FCC7A9899DBC46740C21B0D7CB3B799AE4648A7BA18450353B6AA8E72289E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458838Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:34.842{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BA44E152933517FD57A3863D367B28,SHA256=2762D6F0A4FAE202297CD0FBD85AAB0EBF765A56D84E174D39B1631BDF9F3F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458837Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:34.211{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A76D1C412BDAEE00912888691513D747,SHA256=35DC41C26003A6C41EFACD5E952B9A21BDC1583FAF8185B58AB345E2127E372E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403738Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.487{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1046-60E3-5D0B-00000000D401}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403737Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403736Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403735Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403734Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403733Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403732Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403731Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403730Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403729Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.487{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403728Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.487{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-1046-60E3-5D0B-00000000D401}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403727Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.487{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1046-60E3-5D0B-00000000D401}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403726Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:34.487{7F1C7D0B-1046-60E3-5D0B-00000000D401}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458839Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:35.843{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02D3A241C9DFE493B3CB73647FC9BFC,SHA256=F9D596468EC1B82490DCB47BCDF2A161A675878CD0ED9C8F517E68068A50ACD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403769Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.658{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1047-60E3-5F0B-00000000D401}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403768Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403767Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403766Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403765Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403764Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403763Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403762Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403761Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403760Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.658{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403759Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.658{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-1047-60E3-5F0B-00000000D401}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403758Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.658{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1047-60E3-5F0B-00000000D401}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403757Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.659{7F1C7D0B-1047-60E3-5F0B-00000000D401}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403756Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.518{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1363849317705E72750E5E402DC1DD62,SHA256=11A434E1333D1FFE7D48439F2DB3C048C8AAE77EFC63BF7BD32D3CDD076C1F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403755Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.518{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83042485F9A1B1799E3AF663CB270B2C,SHA256=F36402D551FE52EA7E1090849E38F11B41C0177FCFDDA992E7EF322DF54017C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403754Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.518{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51B8914F5ACAF773A1E69549A486F226,SHA256=DB807DA82FD5A8FE57E0A37EA81EF8F0D8C354361E2BE3F96FDDE3D26B69CFC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403753Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.362{7F1C7D0B-1047-60E3-5E0B-00000000D401}23363884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403752Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.158{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1047-60E3-5E0B-00000000D401}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403751Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.158{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403750Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.158{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403749Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.158{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403748Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.158{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403747Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.158{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403746Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.158{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403745Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.158{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403744Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.158{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403743Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.158{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403742Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.158{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-1047-60E3-5E0B-00000000D401}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403741Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.158{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1047-60E3-5E0B-00000000D401}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403740Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:35.159{7F1C7D0B-1047-60E3-5E0B-00000000D401}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458841Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:36.858{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F9B32FD3B4EFA9E0D74A35519A592E,SHA256=12B503D8884C7683F69EE064FD23A1D8EDAA4B995C14886968B07C727389EE92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403771Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:36.799{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83042485F9A1B1799E3AF663CB270B2C,SHA256=F36402D551FE52EA7E1090849E38F11B41C0177FCFDDA992E7EF322DF54017C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403770Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:36.518{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F3C9ACA5418E1A3663FB6F7A9E866D,SHA256=352CB459E2C6D7BFAD46D3032D6FE06A7C48C8B0223E477749C60DFFC5DB32EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458840Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:33.654{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63304-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458842Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:37.874{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9BA00DE0511983EECAB62FD3AB34D4,SHA256=87353A491703D11A4F067BE7AF2E8627A796BFDC5C9653BC79DD877C27645A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403772Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:37.533{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E195F45B903CC644F7BBAE93E0D2F1E,SHA256=6200FFB7B015816EC6FEAAF23AEBF898FA0A22805E7755EC5D4A7B6540566E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458843Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:38.908{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A895212B0006F34CC29EA69A7E036F,SHA256=E44C9A8D180FD17DE1E2C22A7085770EE7426F66DF01B6996C859BE03419397C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403773Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:38.549{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D556F751F126C3CE3C85C0A644BD8607,SHA256=CA4D29F0AD37F7BCDADCF13D436CC6DE214C24FEEF28CC6D70C99225A14D31DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458844Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:39.938{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA7E6E07653553CB357040C5BF93F38,SHA256=48914591D558453E5A75E2B623D0B79D898FFE4BF0F3B7575706E667C5E89A5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403802Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.971{7F1C7D0B-104B-60E3-610B-00000000D401}18201336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403801Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.737{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-104B-60E3-610B-00000000D401}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403800Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403799Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403798Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403797Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403796Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403795Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403794Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403793Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403792Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403791Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.737{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-104B-60E3-610B-00000000D401}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403790Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.737{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-104B-60E3-610B-00000000D401}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403789Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.737{7F1C7D0B-104B-60E3-610B-00000000D401}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403788Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.580{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78757535DA1079B1327902AF155A255F,SHA256=5B423538198E493D40F21EF7E1D5E582DC46FFCF00ABE465619DF6F035766C38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403787Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.487{7F1C7D0B-104B-60E3-600B-00000000D401}25283468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403786Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.237{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-104B-60E3-600B-00000000D401}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403785Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403784Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403783Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403782Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403781Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403780Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403779Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403778Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403777Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403776Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.237{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-104B-60E3-600B-00000000D401}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403775Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.237{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-104B-60E3-600B-00000000D401}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403774Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:39.237{7F1C7D0B-104B-60E3-600B-00000000D401}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458845Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:40.952{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1087A665D14CE89C90B8F2607208257A,SHA256=FF99A9764821D89664EC3C1F0EF55FDAB89F44785EEA88077196432C3D2B0AA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403832Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.737{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-104C-60E3-630B-00000000D401}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000403831Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.737{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F65C9F7804DCA08B54A1B6334904BE,SHA256=6E1BCB74B04A7747DEBD9E656A31A393DAF0893C1C34BD9AE1A0917E72698FEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403830Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403829Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403828Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403827Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403826Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403825Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403824Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403823Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403822Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.737{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-104C-60E3-630B-00000000D401}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403821Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.737{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403820Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.737{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-104C-60E3-630B-00000000D401}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403819Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.738{7F1C7D0B-104C-60E3-630B-00000000D401}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000403818Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.549{7F1C7D0B-104C-60E3-620B-00000000D401}28804076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000403817Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.330{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83035DD4B939DA81F508625B5FB61940,SHA256=10AE2EF37B1592FFDA558D0F17AF7D912277E8A18E947E3470D4359FC4D743A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403816Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.237{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-104C-60E3-620B-00000000D401}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403815Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403814Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403813Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403812Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403811Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403810Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403809Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403808Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403807Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.237{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403806Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.237{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-104C-60E3-620B-00000000D401}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403805Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.237{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-104C-60E3-620B-00000000D401}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403804Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:40.237{7F1C7D0B-104C-60E3-620B-00000000D401}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000403803Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:38.401{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54271-false10.0.1.12-8000- 354300x80000000000000001458847Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:39.697{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458846Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:41.973{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A90230A88B734E69A1D94FD624517C7,SHA256=4FE5F0258F4BAF4A6ACBAA2F6DE4010FC98DE40A7D0A82E487E5ED27BFA288C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403834Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:41.830{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=830015703957066E9E5132D724C37E83,SHA256=66EE3A9895D4B01CA1829CA82002DA685C3335B602EDB0D340D25ACD7F6F9DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403833Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:41.752{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18A542280E94060DF399016DE984051,SHA256=13185E40AF8499AD999416F9F33D217E97B47E0C32803E7DC5FE9DF168C4769D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458848Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:42.988{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559168CAACCBF128C5D55A831E2301D0,SHA256=A163804AC4A517D2A44DB7E80E5253EE64C678D5D11D5234FBAB84D64CD62270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403835Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:42.846{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFB6C6DCB5A13CBEFD1ED48782F7AB6,SHA256=2364F66AE6A7CA666FADF623C61B248F10AB985C6965E0BDB1FEB710C3E757F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403836Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:43.893{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693539731B5381CED1FE1326B1F08B79,SHA256=E71EDE0A78574BEA8804E6F845B1372B768259636A6C5EA7382C25E11474AD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458850Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:44.249{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\aborted-session-pingMD5=388F93CF7ED9A4AA12FFB83CFEADA178,SHA256=2AE5FAB0B4C50EFC8ADE946F90E90F1C0BAB4F5DB84E2FA99C46C560ED147E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458849Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:44.002{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB272A47563C5C0CB7D1558C321F6A0E,SHA256=B3A2C4F5495A2038998FF7A5008DA1DE7CAF64230E78172E5600864E7C1A8CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403837Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:45.143{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567C858D2EAAF477815945D045EAACB8,SHA256=6DB90FC65222AEFF821CCA0710B11F5B71682549540252117A8D72F63BD1124E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458851Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:45.033{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C880F5FD915930276047948ECF6F823F,SHA256=5696E9C4BA8EA7B54C895AE5BE25776994B61E59F5CEB6B0DEAE4654CB2B23FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403839Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:44.417{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54272-false10.0.1.12-8000- 23542300x8000000000000000403838Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:46.174{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA17EAFFD6C66EBC77B5204863189C3,SHA256=9C8FCE821F6244AFFA37DBB3208FA4F1B993ADC10006D521DDD8EA91EA561F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458852Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:46.066{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3D1EF045209EA13D2F639B61FC0398,SHA256=92BC0EE92DA0F1FD07CABDB0DA98F25479EE6633CD0AE2DC75E7AE5AF84B5E5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458854Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:45.444{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63306-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458853Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:47.099{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8467980B32EEDA486E3D50E8DB6625,SHA256=5DDD41CBAF32D12AECE4DA85B2A039D07995A3FFC9DB193727D5DB2C649226D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403840Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:47.190{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845EF11F101E5D9D6A0F8C052934B43D,SHA256=AE833307516FEDB81DB55EC41C461A79612AE2AA7072B6AEEC3B98BBABBE661A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458855Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:48.114{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE870B7F65504684FF56F60C7A3B3FF5,SHA256=9F4BC8EF2156B2F810104F48A851F41C3818E4D6A688A28065556253D594FDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403841Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:48.190{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB925CADF54779795FC3CE4465A9C268,SHA256=1C71CAA8B0E7D7952068F315C6BF037D0711C640785EF353AA545C949E126DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458856Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:49.165{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AA2754AB55DE1DD26976C47A48C92B,SHA256=3419B949EEA53E0EE3A11A078BDDDF2E55029E5B14F9AF8522E01A75515CC21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403842Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:49.252{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7FD315D0D0F3145D812D1D35AD0580,SHA256=6030F9541AF8E8D1F774C4F8B1FC170D17724151532EBC96BF8EEEFCDF2742AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403843Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:50.252{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA64F031E02F27A4E06913EBC9E22C9,SHA256=AA7C42498151D970D8DCAFD039E57DCEC70033CCD6ECD5E6C538D413577C6645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458857Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:50.196{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C5336D78AF84464AB3118E0B81D436,SHA256=3015962CB032EE72023E83CEC700C80327156403E70EBF90CCD5BD8F53A0256A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403848Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:50.436{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54273-false10.0.1.12-8000- 354300x8000000000000000403847Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:50.174{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-62171-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000403846Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:51.283{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAACD3F57F2C3D0DDDC1A5BD963CD56C,SHA256=3434AA7A56A8A4051E91F32E9F497583226198694DA066340FE910E466DA6940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458858Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:51.226{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22057EDF1B5EE9CE8E87C1FADD5FCA1,SHA256=5FC9175AF7AF63465F5047E282A3A7647C74D82FCF6D568FE6AD0C8701E67C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403845Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:51.237{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A04E0ECDA3227E9DD44FB1258B830DDD,SHA256=E263B566555DBE7DDB7309992411F25F12D4748A53B26046BA33FB727EBCB0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403844Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:51.237{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87A82BC46E1F4C765F64DBE5D3C149E4,SHA256=964FF5424031D7BF915BADAEBA1DF44616543B42C8ADB53869F49F4672209AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458859Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:52.241{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8207A9A146B249EF99D95D7C32624804,SHA256=B740618AF1FB0821F8009E4DA03F5CB4F1E154FB5FC317231BA9E833DF90C67C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403849Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:52.299{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9B1D14D8956755F2AE3E4E4D6E5F29,SHA256=7C39FF257D260EBEEE3BB1DA9D5CBECCE5AC8A623D23F9BF2F442C7EE205B8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403850Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:53.299{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2CB4303E981F2E3216D98ACC8D4C98A,SHA256=F836638B18739BDE5103B761534B6884AB357482A0A8E898CE1DBDB3954BB225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458863Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:53.793{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2936668A3B6186280C55364A46D5031,SHA256=0B3C639AF38173A3CCAF842CF6E9F919992A9331AE536CF7E4837E556CD624B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458862Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:53.793{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5287ACC13064A41552F086E68B2718F5,SHA256=9BFDF345F749B4EDE25EFCBFA01FB393AAC5DCA8CC6542DF7EBA0C06906C7318,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458861Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:50.685{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458860Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:53.258{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E48D02CCCE6B0F327761AD2345324950,SHA256=C1CC1101ED43F9A3609BCE663B95BA2F58FE4F1A8AA2256E8DCB388958EE1865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403851Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:54.299{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F828A154C838A988C3C39DB478CD0761,SHA256=7ABE5B5513D2C560D707D49C0710E6B6A7F16C94CD8030BF6456AC06827C59D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458865Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:51.706{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-4010-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001458864Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:54.292{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D128D568BE5B0858DA85E141E3AC114,SHA256=705E9748ACEF0EBB9518A5FBE757B7A67D61617E6A657F91B9AC4549E924CAFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403852Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:55.299{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF2D50D940DE14F661E7CA93F50276E,SHA256=67CE07BD02ECF3B647A82ED1584A96FA89D3118390ABF5CDE523F7835C2FC926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458866Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:55.323{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE7BB20585E36ADE90490D833BC05A1,SHA256=A3BAB8A29CF0AD8A7DE518989626CE63E6CE4C19E3CDA886A259D130A9CD5B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458867Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:56.391{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEBA506276669C4E73FEEEB55CE80BDE,SHA256=D5CA47E343C9C35301F31B988FC8D770E48BCFCDB4655177A55DFCE56E853F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403853Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:56.330{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E5DEC20F426E84F33C148AAAE67511,SHA256=E723F97A7376512ED4AB20C9D96E5A744F7F74257DB9B2596446DF5D29F1A2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458868Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:57.421{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156C3B49C3FA3F07346660FA3316B9ED,SHA256=874EB4EF8E347CF101B7C445342FF5838E5624B0BD4BB143CF77AE70FB59F0F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403855Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:56.386{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54274-false10.0.1.12-8000- 23542300x8000000000000000403854Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:57.393{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5079BB159AF163C1C93C0FFF699F1E76,SHA256=A4F7B85A734343EB7733D67B2E18BADB19439DE801CE20896561C2CA87D2B88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403856Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:58.393{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40B98414C90327E547A390723D59217,SHA256=0B1BCFA513DAF1F552338F8657FB8192A6E36529A82615A8EF64792A177CDF3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458878Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:58.819{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-105E-60E3-F60B-00000000D301}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458877Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:58.819{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458876Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:58.819{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458875Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:58.819{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458874Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:58.819{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458873Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:58.819{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-105E-60E3-F60B-00000000D301}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458872Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:58.819{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-105E-60E3-F60B-00000000D301}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458871Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:58.819{D694AEB8-105E-60E3-F60B-00000000D301}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001458870Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:56.449{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63308-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458869Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:58.452{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4059E03AAB5EA8064D7F6759808ADA,SHA256=81D658D5F012D2723C987101DB148EF59643CB60100427C6EFE19287ED5EF1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403857Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:59:59.395{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5419FDAAF99858780A076265F8F006,SHA256=89F8E9C08A729BCA93DA62CB157068C46141CE096E0A03B99E9E29AB25158A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458889Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:59.886{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4834E7AA3452836C23C7646CCE7E1E7,SHA256=0FF3DBE6038993B2042272D7777A58B414A1A9C9370439B8556B769CE5AD0B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458888Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:59.886{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2936668A3B6186280C55364A46D5031,SHA256=0B3C639AF38173A3CCAF842CF6E9F919992A9331AE536CF7E4837E556CD624B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458887Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:59.502{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-105F-60E3-F70B-00000000D301}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458886Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:59.502{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458885Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:59.502{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458884Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:59.502{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458883Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:59.502{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458882Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:59.502{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-105F-60E3-F70B-00000000D301}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458881Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:59.502{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-105F-60E3-F70B-00000000D301}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458880Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:59.503{D694AEB8-105F-60E3-F70B-00000000D301}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458879Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:59:59.487{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A7C329946B2E437AFD244404E8513D,SHA256=9188781AF8C3A546B96A9F7D282E9A47DF7065616EB77DB0DC2EA3475128CE22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458899Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:00.493{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B36EE6CECDB11370772751357CEADB5,SHA256=16D491CBEF8D1E8E0442961A1DF68D04D6C8DA544B6FDE6CE78DA096375E9EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403858Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:00.396{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8D4EAF4E264ADC28BD41C309313575,SHA256=9148D6977DE1FB3D5DFE36FD13D1DEA9C8FB48322F815DADE0EF1509CF78F564,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458898Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:00.430{D694AEB8-1060-60E3-F80B-00000000D301}42084684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458897Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:00.157{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-1060-60E3-F80B-00000000D301}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458896Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:00.157{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458895Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:00.157{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458894Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:00.156{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458893Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:00.154{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458892Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:00.151{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-1060-60E3-F80B-00000000D301}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458891Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:00.151{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-1060-60E3-F80B-00000000D301}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458890Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:00.149{D694AEB8-1060-60E3-F80B-00000000D301}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458901Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:01.508{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73B6F542DE4BB3A28AFBF4B38E786AC,SHA256=65327035036A3B186C7972EEDA98EB2301EDC1CF30B920EADBB1FC7957680DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403859Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:01.398{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6377074FB1F505AF282F78FEF1AAB1,SHA256=09337D041E0AF511AC73CDD689971FA801E5FEA876F12D57D55C35C065968E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458900Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:01.161{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4834E7AA3452836C23C7646CCE7E1E7,SHA256=0FF3DBE6038993B2042272D7777A58B414A1A9C9370439B8556B769CE5AD0B3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458911Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:02.775{D694AEB8-1062-60E3-F90B-00000000D301}44004084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458910Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:02.606{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-1062-60E3-F90B-00000000D301}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458909Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:02.606{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458908Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:02.606{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458907Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:02.606{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458906Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:02.606{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-1062-60E3-F90B-00000000D301}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458905Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:02.606{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458904Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:02.606{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-1062-60E3-F90B-00000000D301}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458903Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:02.607{D694AEB8-1062-60E3-F90B-00000000D301}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458902Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:02.522{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6387807085689393BC8719D4683384A,SHA256=FDB6EE9B72F0E0FE5AE231415D32B7805E9A76B64602213EDF7B38306F49F36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403861Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:02.398{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939B61342B9C82BF0CE18EAEDD860E6A,SHA256=7EB1C070B6A78257EE24A6071D170E81973193BAD3472A4F3A2D11E05F3CA5E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403860Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:01.392{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54275-false10.0.1.12-8000- 10341000x80000000000000001458931Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.860{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-1063-60E3-FB0B-00000000D301}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458930Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.860{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458929Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.860{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458928Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.860{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-1063-60E3-FB0B-00000000D301}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458927Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.860{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458926Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.860{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458925Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.860{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-1063-60E3-FB0B-00000000D301}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458924Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.862{D694AEB8-1063-60E3-FB0B-00000000D301}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001458923Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:01.681{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63309-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458922Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.607{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B1349D362134106A4F3B1A584712417,SHA256=A91D82FA1BF90212F7174BEF6CDD993D5A1CC2FAD57D6BBE9BBFEA97A943B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458921Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.522{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C09507DD4EB23CA4C8255FACB5131EC,SHA256=E85BFD30D0B921CB0209DD195202302A584839087F63CD42A8A50D0127CC46A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403862Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:03.398{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E53682296C57E0E7F6AF495C07BF292,SHA256=FD79ACB0C3222E5BFC93060FA5A7A46917E6AF6B0697C9C8DD653B1F33DCBFC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458920Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.438{D694AEB8-1063-60E3-FA0B-00000000D301}54723148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458919Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.260{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-1063-60E3-FA0B-00000000D301}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458918Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.260{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458917Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.260{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458916Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.260{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458915Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.260{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458914Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.260{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-1063-60E3-FA0B-00000000D301}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458913Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.260{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-1063-60E3-FA0B-00000000D301}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458912Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.261{D694AEB8-1063-60E3-FA0B-00000000D301}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458942Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:04.875{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22B735122FEF1CFEEAD878CCD88DDD7F,SHA256=6BBD9957FAD15BEC4A0FC3ACCC03F55223FCCF54D25C7F955A0E32C6DE553E0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458941Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:04.691{D694AEB8-1064-60E3-FC0B-00000000D301}61006316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458940Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:04.544{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3714D0BFD6E4DC964475CCF0C6870BEB,SHA256=882199CC010C41BD70D360E95442C1D2FFC06418FC1CB5D884E3FD70E1380907,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458939Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:04.542{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-1064-60E3-FC0B-00000000D301}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458938Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:04.541{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458937Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:04.541{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458936Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:04.541{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458935Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:04.540{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458934Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:04.540{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-1064-60E3-FC0B-00000000D301}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001458933Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:04.540{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-1064-60E3-FC0B-00000000D301}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001458932Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:04.539{D694AEB8-1064-60E3-FC0B-00000000D301}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403863Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:04.398{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231194D1F98EADA55E1F61CF4F5A8817,SHA256=E528981F0E23AB1DFBC885895EFF4C2672F7B330346971A2B19095535496670A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458945Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.666{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63310-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001458944Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:03.666{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63310-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001458943Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:05.558{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41728C6C247382FDEF222CC72DD912FE,SHA256=B99E3B0442CCF85607EF68BB71CBB8C5841901B09E77052A4FF79B0E4FE49FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403864Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:05.398{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E9E3DCE70C88CF1C7E05F890B55367,SHA256=0C8ABF40B6D63872F3EF924F7B723C14779F9205ECF2E1575A01334E4FA403E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458946Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:06.573{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75320877A82AEFA562131919107D13A1,SHA256=832EE49B273FD843672C5BB8F6EE0E44AC79964B42B36FC8BB88F61BB6C5A0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403865Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:06.414{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DA3D1DC445CABC6E6CD404F04B25ED,SHA256=A89625B9C835B084EAB60E8BA9E2828B9438E1D07CBAE0100BB0994720113978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403866Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:07.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1AE805BCD9262902CFBBBCEF9FB1BC2,SHA256=098E34E9755A1E72CDC333E4F924F59676338F4574D7274707036A84C9E757E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458947Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:07.587{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079B580AEB61D44E597C120FADF12443,SHA256=F5FF369E9ADD8C611D0223B8634884A6971B5B9DFD7621F9007E1DD655D20B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458948Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:08.602{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A676E40A82C88A984F5531436FBF03,SHA256=37C7B3930432CFDDA404958F76A10E5E9AC0D3ABEEBE71982133A7C42E20C03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403867Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:08.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305E1E155850E00D60F5D5359302C923,SHA256=BC0C960C10005107A57A1FCB6C6CBB04BC3947611D2097C717C96E45822D2865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403869Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:09.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CAE6CF1CBAE3193BBA2A45FBE922B9,SHA256=6603D5C5DE6D8D3D01CF7A15B24F15BA30058C4829F8007AF50F77B811BF3C17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458950Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:07.662{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458949Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:09.617{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2BE4CA02214AB3BD66DF77E7A450E4,SHA256=CDC4A091482AE07BF41BF713191D2AB46DE5AE24FC6DC6AB5931CAF932C1D51B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403868Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:07.360{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54276-false10.0.1.12-8000- 23542300x8000000000000000403870Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:10.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE8C34EDE1B721553EC9D72140DE744,SHA256=060F642B0163000657B5C73DFEBB11EC7D758F0261D00ED2BCFAF32B3DFB3539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458951Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:10.634{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403B7FA561E6E012B857C4326BA91554,SHA256=B1A161CABDFD495BB37F4EBF371BDCBB6DF7955FF838400003FE13B716A12472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458952Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:11.651{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36A5261875E0020C384E5ACFCBD57C3,SHA256=70C83C0E6681ACF391148538F0F1132A033C71A9E6AEEF80121FF3AF7DF70BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403871Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:11.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AB478883AC847CFD07BF2F03A78B9F,SHA256=8BD93EB06D87F5CA89124342D34FB4077FE63FC22C05E3E9692D2C521E06F7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458953Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:12.666{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64471FB26D46D3D32E8E2974F180BA07,SHA256=DF5CF2ED63900C54508F0FFC2AABCFCFF385BB65BAEB5416E8011E9A5FA398E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403872Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:12.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E631481B0AAA2AB9B1D6305AF06C21,SHA256=14F8BE6ACD3CD6EAE26C2419D0B7E0A0C553FCE29EDAF92C7294ABA0BF6FB834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458954Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:13.680{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B8FBD4BE2BEEAA5A355D209545929C,SHA256=278C96E875527F34F6A5CE245E188F1E1F2F1FEC0E52CC5DA2B2EC9F293AF414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403873Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:13.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBF879DB74C98514AAE75FE7F3F8692,SHA256=99DCA833A1334B6322472EA690C9F092A3357FDF6D0E73F18012190FE91AE039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403875Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:14.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC7F7D64FAF0527671E680789AAFBCD,SHA256=B2A68384F1FD8927E947049E4410815A57E3B0B8092E86DE59EC708BA7F6158B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458955Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:14.695{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4505DCA4CFF911A2ED56493F044CCB,SHA256=3D7A2DDA32F69D3D1DC67063E50C226567E87DAEE11040E8132A7EF3B86651E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403874Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:13.360{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54277-false10.0.1.12-8000- 354300x80000000000000001458957Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:13.673{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63312-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458956Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:15.729{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E964FC880087335F0093E53349FACC,SHA256=EDBBDE4544E979BDB81F326CFE84DE50B21B7C460922BF58053A298280CF7A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403876Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:15.430{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490664500B3E1F311668CCBEFF4906DF,SHA256=0E29910582D693BC7DE0B4C6B56AD0C3DC5785F47EEED22DDB80975EC8FD243E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458958Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:16.746{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0532BBE1FE266CA7118C0F624C3326,SHA256=6138236763149DA05DA5C3E0757139D488AC0FBB253F10D0BD63EAC4AF0A8803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403877Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:16.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77D3485A93743A61877AC520104A45F,SHA256=C601C85A13404AAC9F025E2A1CC450A907A4AEA74A508A451714117126E9804D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458959Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:17.761{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53CAF4B38AA4960F89076913A222A9B6,SHA256=98B1CF4DB31C2C833C34F70D2F9FBFF263C5C669C85246072271BD02AEF175FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403878Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:17.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A457C8CD8608AB769E32EBFBFE4F2211,SHA256=D3B06A7644719BFA04F7B700F22C0548961FCF7D981E2C471F0C925B80ACF92A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458960Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:18.791{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E7D9B90A8AF769E5AAFEF07636BAF0,SHA256=13D09AF98BC57CC1A1D7A13A5C4B61DA54E0B339AD4AEE33D384BE0C7B9D79D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403879Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:18.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432B082CA830D6364689E3F6C7756D55,SHA256=6F26D3FD3541AE28F5D479BA9DD843D36F428572E64506C3EE6EB09602FF8AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458961Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:19.806{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525AF85E48E508AAD5BDB94E34BB0375,SHA256=453832FBC7B9ACE45A98CE6AB9F9D709C230272DC667DA2ED8F20ABF178B1323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403880Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:19.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E996B78AC2D88E1683236AAFF933BF,SHA256=AC2EEA4F8796E9BA56A1DAB5E8702ADC9F967E3A441D4147606C985217DC957B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458962Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:20.823{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7804D1D1046D44FBD2A389253E93DCD7,SHA256=25B353251C81E5CA744B81115EA72849B894BC750B1DB4C381F7C665EDA89CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403881Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:20.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6882037732AA21CF7919D03860569634,SHA256=2ABE6A7ABE3480885825E7CDDA3D79C0D3D4A6D08709F71F393F9EA98F2C3578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458963Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:21.841{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2F29A91D47F80E168D2F049B41A07A,SHA256=6F4470B5CF2A41505F159F402C14DE1B00134AD49DB71EFAF1C540C7195869E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403883Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:19.314{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54278-false10.0.1.12-8000- 23542300x8000000000000000403882Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:21.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF6F81911277F771EE58D8742EA320E,SHA256=56DFE5D090A3CECE6A18EE0C9B613D127D6F3B078D98E3C0746731B9A5E5A24F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458965Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:22.871{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C9A039BC8A725368C33FC76ACB6961,SHA256=4182359EB487648E2E395F2CE773FECB6373EEF2B7119402237AF5C8DA30DFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403884Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:22.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189560E24B1D11595303F31844E01199,SHA256=F9264620BAAB608716FAD05FC61CC0B4F830FE55BD9E644CDE3A69D501CE4DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458964Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:19.668{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458966Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:23.886{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D797426B6D6E67AD8275F1E85EE0D8,SHA256=004B3E92AFD4552800BEA8FD3C1B030D790B9C8A00E0339731BD908A3C2ABE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403885Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:23.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F8A2760770A3983A85EBF6B47A7981,SHA256=245F542FFA142209C16BFD242C85777F07C7DD522EC2C5F700F1935AFEF2ED72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458967Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:24.901{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBBFB51156BCC45501CB93E8A009FE8,SHA256=6328B90D73BB0CC199755B5EEEB150530CB03F6F3C1FC521C274AF012221FACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403886Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:24.429{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28839053F198BE120696D54D377A441E,SHA256=8D50AE20811D7AB467AD80C844CB653EB579397D361A7AFBAA3D970A195F9D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458968Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:25.919{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5CDBBCC5EB1CECA5A03CB5209BA7B2,SHA256=5BC254254A3D7026DCB4D1A43F2C35B350E6A982D72B1230417364FB579DB678,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403888Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:24.345{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54279-false10.0.1.12-8000- 23542300x8000000000000000403887Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:25.430{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47CBE66555D1005437A5805BCE04A088,SHA256=3318D154438D95A5E19EE84752B06F4564CAEAAAFC38626A0406058BEA56FC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458969Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:26.936{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDD29EE1F9CA86BBA76227D32E5D562,SHA256=3A7BAB5978208E069575F4ED489D94B671B5665C124A18EAFDA3F27DA666872C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403890Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:26.445{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5068A3423F0FAA743ECEE39418846C4B,SHA256=B7104C4B47B61A10FE70CC1CFC3822230A33F7B2A275339F26ECDEE24F80DC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403889Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:26.430{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286DB3254F44968422BE19BAF6CC548A,SHA256=8FC696F0FD4F7DD8CDAC31A254CD3743FD0834C16BCF44B4122AB5753C7FE9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458970Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:27.951{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81BB7F4D137DA93FAB2EBD35E810266,SHA256=1125A391EF17368E98DCEE20E7343A9268A21F4020B07122A8BA05BD7B26BD99,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000403901Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 14:00:27.798{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000403900Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 14:00:27.798{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0169c056) 13241300x8000000000000000403899Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 14:00:27.798{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719d-0xba0f715d) 13241300x8000000000000000403898Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 14:00:27.798{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a6-0x1bd3d95d) 13241300x8000000000000000403897Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 14:00:27.798{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ae-0x7d98415d) 13241300x8000000000000000403896Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 14:00:27.798{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000403895Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 14:00:27.798{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0169c056) 13241300x8000000000000000403894Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 14:00:27.798{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7719d-0xba0f715d) 13241300x8000000000000000403893Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 14:00:27.798{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a6-0x1bd3d95d) 13241300x8000000000000000403892Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 14:00:27.798{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771ae-0x7d98415d) 23542300x8000000000000000403891Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:27.438{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CB662EA527C8AB464CE0749B7C2BCB,SHA256=B41C99317A3FEBA46F4E64603AAD6764412926DBAF00A05EE8B25E5723F427B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458972Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:28.965{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A84E4D46306D2D1878C044DEF447D1,SHA256=140C31F18A3A6E6E40B923CE7390EA863A08843626C8CD42DE6E5D2278F041CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403902Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:28.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F353F36120C33056CB996A5AD3D993,SHA256=0A84A02D5C798CF60146D960819927AD8FA6CAF8B4C4395D4F941135BCFCDAA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458971Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:25.643{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458973Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:29.979{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584789F7D823FB31C591BE8B4B7E2CDA,SHA256=A03056E05467909C44890ACC8DE982983D8E405619D65B4109EC35360BEC6234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403909Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:29.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA384F920C61C2D68A0C8AC9F3C812B5,SHA256=024EE141F846C68AC50D7BA5EC6FC3C5F562FAE1E3726684B1E24E6BED808C5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403908Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:27.476{7F1C7D0B-B3E6-60E2-3100-00000000D401}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54285-false169.254.169.254-80http 354300x8000000000000000403907Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:27.380{7F1C7D0B-B3E6-60E2-3100-00000000D401}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54284-false169.254.169.254-80http 354300x8000000000000000403906Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:27.325{7F1C7D0B-B3E6-60E2-3100-00000000D401}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54283-false169.254.169.254-80http 354300x8000000000000000403905Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:27.324{7F1C7D0B-B3E6-60E2-3100-00000000D401}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54282-false169.254.169.254-80http 354300x8000000000000000403904Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:27.324{7F1C7D0B-B3E6-60E2-3100-00000000D401}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54281-false169.254.169.254-80http 354300x8000000000000000403903Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:27.323{7F1C7D0B-B3E6-60E2-3100-00000000D401}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54280-false169.254.169.254-80http 23542300x80000000000000001458974Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:30.994{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B9511B66008F35CE5A1A03BAF3F245,SHA256=D618F9FB6BCED501E891DEF855902ADEF742F5D608AEA33DEE3B1397A57128C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403910Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:30.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C42CCFB35AB3B2AE9665D842F599945,SHA256=2C2AE4BB35C2C1CB020BED9C69B49F8C5C2AFC8C465C7A54082412F5B282F8ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403912Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:31.798{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403911Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:31.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E6EA2A7907EBAD67509F16EAE64F18,SHA256=E4D48EC200548752AC5F9ADA2AC06B83AF0D3FE5D151571A7C9AA1BB3E4C7E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458975Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:31.231{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403914Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:32.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FA6E5D40FE91DDE84D9E248046980B,SHA256=725D2392DC906A08A94341EAF654B2E8E080003924A89D9F0689212224F31031,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458977Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:30.652{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001458976Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:32.011{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C845DD132E8698138ABAA6628ABC161,SHA256=2E065DCB67DADE8D1A6C395A6C46714AFA4A55B2113F5803F218BD667FA19E63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403913Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:30.307{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54286-false10.0.1.12-8000- 23542300x8000000000000000403916Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:33.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BBD75446339A3F3EABE663EADE40AE,SHA256=9D881DE02B9FD0450D0B611541E250276DDACF3FC35F9E472A6CFB7067E88350,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458979Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:31.635{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458978Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:33.030{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154D0A33F15E71DA509C37CB626AFE1A,SHA256=9ED61A89D0C7B20CF767FED4DCDB8B676F234FDD9725E1FD93C820FF0F30112E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403915Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:32.010{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54287-false10.0.1.12-8089- 10341000x8000000000000000403931Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.673{7F1C7D0B-1082-60E3-640B-00000000D401}3056812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403930Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.485{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1082-60E3-640B-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403929Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.485{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403928Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.485{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403927Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.485{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403926Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.485{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403925Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.485{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403924Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.485{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403923Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.485{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403922Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.485{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403921Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.485{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403920Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.485{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-1082-60E3-640B-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403919Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.485{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1082-60E3-640B-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403918Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.486{7F1C7D0B-1082-60E3-640B-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403917Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:34.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0FA653421D88D9D5C58ADA1339F902,SHA256=00A0814EFAB4DB0DDBF11D52BC66F332EB384156D0186028044F50E867643425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458981Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:34.212{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3FA798222186752E49B277C3E08030AA,SHA256=24B95B7AF26873E6E75C75D9012ED582B7B1DAF596F9B04297E77242E8A88AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458980Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:34.044{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6BAEABF460B9F499F5304705BB1709,SHA256=B93C24809DDE6465FCA608A40E8716C56EF39A8216D964DE654D9C265969BD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403960Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69B18A4702D4D719CA7BD5EDBF2287D2,SHA256=8C7A7388E15D7217A1FD9DBE8E3EBAFB5EDF6B1FDB05FDEFB0F979A0EC7D14E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403959Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A04E0ECDA3227E9DD44FB1258B830DDD,SHA256=E263B566555DBE7DDB7309992411F25F12D4748A53B26046BA33FB727EBCB0A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403958Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.657{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1083-60E3-660B-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403957Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403956Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403955Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403954Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403953Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403952Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403951Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403950Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403949Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403948Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.657{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-1083-60E3-660B-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403947Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.657{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1083-60E3-660B-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403946Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.658{7F1C7D0B-1083-60E3-660B-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403945Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.579{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CFB8213BF14AA8197D7E1E748FE2D7D,SHA256=D055D1E61236D00208BA7597CF73B035BC74D80D5E641EE9FE302DDB1291F530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458982Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:35.045{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979141D97E0B28D62A527D5BF51FF45F,SHA256=FCB925219C2CFFB62E5902213F8F5139902198BFE20E5E8760111BD67AC21C88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403944Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.157{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1083-60E3-650B-00000000D401}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403943Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403942Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403941Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403940Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403939Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403938Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403937Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403936Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403935Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403934Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.157{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-1083-60E3-650B-00000000D401}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403933Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.157{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1083-60E3-650B-00000000D401}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403932Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:35.158{7F1C7D0B-1083-60E3-650B-00000000D401}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000403961Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:36.704{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D655A063707F6C4B614C8FF9D814BA5A,SHA256=791A8BD83A6D222BE0084BD72A6918589CAA8E03C1ECB9C12B6EC207A6E890E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458983Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:36.075{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E569BE95561A2C87ABE8D8141F2E8E,SHA256=21094FD7547F970EA289EC8B57506252174DF5115680B272467A8F428F54B6FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403963Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:37.735{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C8E65B81AD905ED3F3452F9443AC5A,SHA256=F82E9465D922483B5A9CCC92913C777BBCA43D2D726EBA574A16DB75C516537C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458984Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:37.090{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B72BD1407C5B8C9BD968C254F146C6,SHA256=347C3411313FACFDC24810F1432B0B1ADE68A320CF50987E581F54822237C383,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000403962Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:36.338{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54288-false10.0.1.12-8000- 23542300x8000000000000000403964Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:38.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9108DDF05CD0B4C26CC6817606836E,SHA256=2C99AEAFF6A72B26D85C11CEA9A0BB27F30A5F46DE4AF285F171F645CC165A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458985Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:38.108{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BEC74060D12416C378C24BAA76902B,SHA256=03B2D3423FECE8537A6EF44459ECFC1647F5E551EB7730BCC3E99054965EEA7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000403992Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.954{7F1C7D0B-1087-60E3-680B-00000000D401}3460504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403991Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.641{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1087-60E3-680B-00000000D401}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403990Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.641{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403989Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.641{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403988Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.641{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403987Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.641{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403986Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.641{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403985Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.641{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403984Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.641{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403983Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.641{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403982Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.641{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403981Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.641{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-1087-60E3-680B-00000000D401}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403980Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.641{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1087-60E3-680B-00000000D401}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403979Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.642{7F1C7D0B-1087-60E3-680B-00000000D401}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000403978Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.376{7F1C7D0B-1087-60E3-670B-00000000D401}31122604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403977Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.141{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1087-60E3-670B-00000000D401}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403976Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403975Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403974Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403973Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403972Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403971Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403970Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403969Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403968Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403967Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.141{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-1087-60E3-670B-00000000D401}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403966Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.141{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1087-60E3-670B-00000000D401}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403965Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:39.142{7F1C7D0B-1087-60E3-670B-00000000D401}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001458987Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:37.651{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458986Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:39.126{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75770CB2EBEEF3377964065D36FB2277,SHA256=4E1B0E5BCFB8F2942B42D5EED1F092CB4FCE932BE2580AC5526EAA6475B129DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404020Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.813{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1088-60E3-6A0B-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404019Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.813{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404018Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.813{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404017Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.813{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404016Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.813{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404015Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.813{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404014Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.813{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404013Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.813{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404012Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.813{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404011Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.813{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404010Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.813{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-1088-60E3-6A0B-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404009Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.813{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1088-60E3-6A0B-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404008Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.814{7F1C7D0B-1088-60E3-6A0B-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000404007Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.267{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2155F2596E4CC7AC2FAAFAFC2C74E230,SHA256=5D8A1AE2460128C24793B1A4705D7A3BA383C56395D390417CE7AA0832CAACC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404006Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.267{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69B18A4702D4D719CA7BD5EDBF2287D2,SHA256=8C7A7388E15D7217A1FD9DBE8E3EBAFB5EDF6B1FDB05FDEFB0F979A0EC7D14E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404005Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.141{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1088-60E3-690B-00000000D401}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404004Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404003Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404002Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404001Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404000Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403999Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403998Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403997Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403996Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.141{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-1088-60E3-690B-00000000D401}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000403995Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.141{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000403994Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.141{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1088-60E3-690B-00000000D401}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000403993Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:40.142{7F1C7D0B-1088-60E3-690B-00000000D401}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001458988Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:40.141{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D9F9BF6BD2A81BEAE90B0FCCD5D4FA,SHA256=2F9ABFDA5CCD4BF84BFB270691F672664E075C5A116CBCE6791A5D1C9741BE93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404023Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:41.407{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071AF3267E74C8CEB18851173C6BAADF,SHA256=0A3F01FB5AB5786B24CB441A4C8BECB0BC40A3566DE6AECA94FAE6FEDABD4237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404022Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:41.407{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=678F125FDC972837309E33FD8F0943F5,SHA256=DB9D7759B03B9CDD379B1D5FD3EF48BBC65BB470B6620885039FBD5B1A8C3987,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404021Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:41.016{7F1C7D0B-1088-60E3-6A0B-00000000D401}34801556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458989Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:41.156{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A1A13AF8400F60D141E4E8C6A62F48,SHA256=3775E96F37389CFCE8989E322597717506FEB6F4B2EF636E56BB0E21B4629C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458990Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:42.170{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35235B487246C31A88B52D4C9F5E28A1,SHA256=55493B9CED59FD3BF036A24C1131E678722AE7804D236C0AAC19D387B3E9338D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:42.032{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4314B9B95B9AE87679D38D8AA3A25A78,SHA256=B6A0FE1494A448FFC0A7505A974BD6379C9955C1C41786192A1FA0E2CD36B576,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:42.339{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54289-false10.0.1.12-8000- 23542300x8000000000000000404025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:43.032{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A69D4320954C23F1D91A5FCAB2EA1A,SHA256=CC3F14FE98937F36C4EEC39EE9A58837B59E3C8314C2228BD97D83DCE035268A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458991Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:43.185{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3026D5F45869728B92955BF88F998C5,SHA256=B6F14924B4A43BCA28790B11E380B8FB9646E50C697FFF54C73E2D0FE28F9CFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:44.032{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154E92A414541EC528F117C64DB2E5C0,SHA256=94E574B9E8BD0F0991630673264534ABC4B2B27DAB22FCBC4C04B0F762550113,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001458996Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:44.921{D694AEB8-B3EA-60E2-0D00-00000000D301}9163368C:\Windows\system32\svchost.exe{D694AEB8-D133-60E2-0F04-00000000D301}3340C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458995Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:44.269{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001458994Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:44.269{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001458993Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:44.269{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF169ee0d.TMPMD5=919ED2825C4A4BDE663AD9667A5FF39D,SHA256=D678DD1D213D56000B1DC130EB771A2956EF5AEB8342955305D734169A4F7A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458992Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:44.202{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305586A21C22B1103401222C3CCA4EC2,SHA256=E009B99A4CBF9EAADBE921687120F061F91444808887EEDEE48DDF38969F634A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:45.032{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060DB6EC4C3C566DA4D5CE0947C98D08,SHA256=4E8F013ED175D42CCD837380B8ED44D0A3F7554D07EEEE47F4295E676B52A834,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001458998Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:43.665{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63318-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001458997Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:45.222{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF1AC0DB0DDF3669658207C42C12945,SHA256=C456FEE6A6C18CD4B8334947DD6EB12B944FDB3C8B99644538A4150E71626AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001458999Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:46.237{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8717284BA8DE5A90E58AD2B75A4E5E,SHA256=6E1CAFF2375E12E4B295D45D835C13774F1C85CBAB7CDB79F22996C22936DD6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:46.079{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067C225F42742115558DC1651E58D223,SHA256=6C9C1DAF3930BAF59D048864614CEA1CE34953B22D57882A957A16FEBCE6C2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459000Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:47.267{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124FC933267317D2395A3D26BBC6C6C1,SHA256=2902DF66EF7C4C21E8055F1527642DACDCE9FCC90825261D7CEAB700358DC304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:47.126{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E94A51F7172FAB2777D8D5E9F39FA97,SHA256=BDA8F5B4AEBE5D25BE7087BA8A5D79C4FA717FDF59A2564369D9DA70BB062294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459001Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:48.299{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64C43F8F5657DF23D8333B1994A184A,SHA256=BEB33B921F45A526B8C18A86BE4308B5C78E77F0CD98745C4CC9C4E80AF9CD72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:48.157{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0504DFED0BD31B1F4ECBD3683C318FB8,SHA256=572B8B8A8459DAD6BC3A9FA65395361FA6A529577C85CD35D97EF6C22847FBF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:48.323{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54290-false10.0.1.12-8000- 23542300x8000000000000000404032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:49.173{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57093DE6E17FAF139D11A3B583BA046A,SHA256=AFCE9DCD7FC892F36AE28AEBC3C4190C563678F42AC3C71E899C5C1216B166E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459004Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:49.582{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d8d317|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede 10341000x80000000000000001459003Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:49.582{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 23542300x80000000000000001459002Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:49.319{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53A9FC48BDA4076C8FF6B9F2D0662BB,SHA256=9B70424F05770AACEE6133E69C3FA99D6B0E01271422BA80B5B2194BD9E7161B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:50.376{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4B0C332C5EFCE313ADB0449C0A2117,SHA256=01C4B910C95BE9B02785C7CCDB349CB451D03AE1D61F948825FF7C9EAFB59F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459005Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:50.334{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE36B070CB9A1CA98D27CF2BCA68CB9,SHA256=108838B7FBD275252B35DBD507B3FC5281AA1F92CAC3FA03079AF6D3A578CB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:51.407{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50083A1FEF1A9137D9CF31E2340EF15,SHA256=A60260B04975618D14FE5411B8886E67DFADDEA7D3436013D0737AC29F01FA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459012Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:51.349{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB821070185698216F2A090950BFEB5,SHA256=2A9120689613795AFBEC88B0B16830779FB364404E173C873D96114153291C9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459011Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:48.809{D694AEB8-B3FC-60E2-3900-00000000D301}3280C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63324-false169.254.169.254-80http 354300x80000000000000001459010Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:48.688{D694AEB8-B3FC-60E2-3900-00000000D301}3280C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63323-false169.254.169.254-80http 354300x80000000000000001459009Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:48.646{D694AEB8-B3FC-60E2-3900-00000000D301}3280C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63322-false169.254.169.254-80http 354300x80000000000000001459008Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:48.645{D694AEB8-B3FC-60E2-3900-00000000D301}3280C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63321-false169.254.169.254-80http 354300x80000000000000001459007Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:48.644{D694AEB8-B3FC-60E2-3900-00000000D301}3280C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63320-false169.254.169.254-80http 354300x80000000000000001459006Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:48.644{D694AEB8-B3FC-60E2-3900-00000000D301}3280C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63319-false169.254.169.254-80http 23542300x80000000000000001459014Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:52.364{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D62B55634CCC168EAB11FAEB3BA5B2,SHA256=6B7C10283A0418A32082EB760095AB051B6B7EB12413E96FD5F0350DCA7137AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:52.438{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C183CBE0A167B369FD2F212973249E,SHA256=D4BCDEAD0AEA3FC1EB16D3AEC6C2F5BD7885FB9E976F6FE1EFDE0A5AD129C01D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459013Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:49.640{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001459015Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:53.378{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E8E7D31157211F3A39717CB2D66F41,SHA256=B699F6C03AAD3B348B81B760510EDC9A5F9A08E3D267644A7E8752ED998CBF83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:52.278{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-62578-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000404039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:53.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1412EE60C2AB81C500FD5B1BA1FFE171,SHA256=5A0483F13B06D42D5881862B8C2844CB8BE809D348667AE069E1D4996519AE8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:53.407{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD30389DCFC4585E0BC65D1589036CB9,SHA256=8457127C469A9EDC062DE0E093538DE3CE00154E8F354B8B85020FD675A90CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:53.407{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=695DE91308A2864A2FFFD0CFED5A98EB,SHA256=C19EAD8F472570F8A0F8A4D8CA5B8BD943E2E2E59FE07916CF5B44E5213F8320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:54.485{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BBE2DC48C6435BA173A54930483D709,SHA256=E68047EF9ECC70160FC50F9F869F5A9D7B8CD4A5D22CB758C946604625D27800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459016Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:54.398{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9411B12EF372FD1A5AA0222B4791184,SHA256=8A1873709E46DA89A7932713946E978A7AEF19944234D1BD82652A5FD1E93BA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:54.323{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54291-false10.0.1.12-8000- 23542300x8000000000000000404042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:55.595{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949467360A0AD294DAF62DF375F7A42B,SHA256=B12CD7CDE1240F6206F4F9FF0609F5771907055DE9041347662AAC3E9AF966BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459017Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:55.413{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF14649A749E32EC538F47EFD08F1918,SHA256=D3791037119922A0788FAEA82F8BB5A2CF18021D58ACD57B9465CAC7067B8AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:56.610{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C959172AC9ADD7FAB1E4A7C7073C91,SHA256=51E128E8372AF9197676BE1D587841681374C5402B3E0BEBFB6F0D2FB933F18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459018Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:56.444{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8320F1F7D765DA5B1882073CB3E18BAF,SHA256=4ACABB503DD9A40DC3BE66B2CF6BBDB987809B5D5CB1D18B794237AFC32BAD43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459019Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:57.458{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4FF0485E45999D37D6AB51457F8EA1,SHA256=93B298FA2A2CD34A1850452AEF8319362435321EB029B4DE1961E27B5B7C228C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:57.626{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E4F7C1B89E51AF0C4D0CD66AF7BEF9,SHA256=15F60437F35E7A40B8B0970E1814BC4C4B52420814D9F3580225145DE3E9ECD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459030Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:58.829{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-109A-60E3-FD0B-00000000D301}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459029Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:58.829{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459028Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:58.829{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459027Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:58.829{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459026Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:58.829{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459025Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:58.829{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-109A-60E3-FD0B-00000000D301}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459024Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:58.829{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-109A-60E3-FD0B-00000000D301}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459023Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:58.830{D694AEB8-109A-60E3-FD0B-00000000D301}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001459022Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:58.473{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10C7615AF2B6FFB53A6192324F851DF,SHA256=FAAF4C14523DA4886573330E033266855BE683663843B575AF5FA887ADB4C2BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:58.626{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF24D6D7462C38D826C28C25C315DD6,SHA256=DE6645510378250862AC9C30B5A28DE3AC65ACCB82AFA4981AFF0E6AE5C6EC67,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001459021Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:58.311{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-07-05 14:00:58.311 354300x80000000000000001459020Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:55.633{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63326-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000404047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:00:59.626{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C1469DF581D290079240CE46A824EB,SHA256=A04BD2391E244068F1DFB5E1A85FB1A311D805B5406FC1D3B311D81AC3924A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459042Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:59.844{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48BC344EBDBAE26FA8EFFDD9ADB4E36F,SHA256=10166858BB9B7E04DB4413BBF26FCC7C1E6036DD2F755164F1210D517FC33352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459041Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:59.844{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F394E2FBD061D288639A90E6D0242BD,SHA256=B5700D39642EEA48B3963122301BB271168BF87A98E6FC064102605A163D1576,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459040Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:59.675{D694AEB8-109B-60E3-FE0B-00000000D301}60484080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459039Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:59.513{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-109B-60E3-FE0B-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459038Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:59.513{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459037Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:59.513{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459036Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:59.513{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459035Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:59.513{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459034Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:59.513{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-109B-60E3-FE0B-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459033Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:59.513{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-109B-60E3-FE0B-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459032Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:59.513{D694AEB8-109B-60E3-FE0B-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001459031Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:00:59.475{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F1EA89F0350ED7BC4619C07B3B1A11,SHA256=EA16B2FD7FD0FAA18CADB81A7827BFDDFAEDF5964E16F46D5F9C1CA62C9E23DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:00.641{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85B5955893496D8F2D07EE2803AC2B5,SHA256=794E9067A19D6DC29AA9B9A8F56B67E9E108DC3A3BBFAE8B49D93E3E393D649C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459051Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:00.496{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D5B8869CEDAE8712A8E4CE7A13C672,SHA256=DCD4756AB2C078F41E1354B4E152D57D8A88E260CE2FBAA7C22EE955ADA3F645,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459050Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:00.174{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-109C-60E3-FF0B-00000000D301}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459049Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:00.174{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459048Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:00.174{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459047Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:00.174{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459046Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:00.174{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459045Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:00.174{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-109C-60E3-FF0B-00000000D301}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459044Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:00.174{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-109C-60E3-FF0B-00000000D301}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459043Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:00.175{D694AEB8-109C-60E3-FF0B-00000000D301}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000404050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:01.644{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E321B815A1216C812C0CC409E781E9,SHA256=9261BEA40FF9AFB94834F92175C9CB98CBC92779556D6A06066205DBE0FACFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459053Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:01.511{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A3E5ED89A918F1CAFA012E554FBA88,SHA256=A4872D96399DE1C1A3C2E4A241408159D12872F1959E2BBFE089C0867C7FEA18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:00.300{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54292-false10.0.1.12-8000- 23542300x80000000000000001459052Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:01.227{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48BC344EBDBAE26FA8EFFDD9ADB4E36F,SHA256=10166858BB9B7E04DB4413BBF26FCC7C1E6036DD2F755164F1210D517FC33352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:02.646{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA24382C28420249025A0A5B390C75B1,SHA256=AADCE4983B367A07418283B084C367DB29E01A6972006CC7F8A7C982A515A7B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459063Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:02.793{D694AEB8-109E-60E3-000C-00000000D301}42205436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459062Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:02.610{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-109E-60E3-000C-00000000D301}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459061Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:02.610{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459060Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:02.610{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459059Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:02.610{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459058Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:02.610{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459057Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:02.610{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-109E-60E3-000C-00000000D301}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459056Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:02.610{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-109E-60E3-000C-00000000D301}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459055Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:02.610{D694AEB8-109E-60E3-000C-00000000D301}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001459054Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:02.525{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FAD9023EC43893ED6210983EC85917,SHA256=35227DA0C6628F1A9A95F0A8CA16E216CA2B16E8AC1C391D97BB66EB07BCDE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:03.646{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0707E453979A01CD71122C52D9D9C1,SHA256=0042DB1EDEE102A91BC67DD6B88630849D478778FFE133C0683EF05E0861866E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459082Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.840{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-109F-60E3-020C-00000000D301}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459081Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.840{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459080Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.840{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459079Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.840{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459078Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.840{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-109F-60E3-020C-00000000D301}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459077Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.840{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459076Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.840{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-109F-60E3-020C-00000000D301}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459075Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.842{D694AEB8-109F-60E3-020C-00000000D301}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001459074Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.610{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70E2491F8058A75A1432DA88BC6EBB93,SHA256=75252FFC6688534BC30F0888C7DF042FDE8BA53364F6FE12EEEA1B5286D0FE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459073Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.541{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA12D36B504D9A00841F541347AA869,SHA256=3295D9F03EE7AA42AC25449F972563A8E2E14608B9FDCF86363C52C0066AFC46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459072Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.409{D694AEB8-109F-60E3-010C-00000000D301}17923752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459071Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.225{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-109F-60E3-010C-00000000D301}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459070Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.225{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459069Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.225{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459068Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.225{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459067Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.225{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459066Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.225{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-109F-60E3-010C-00000000D301}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459065Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.225{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-109F-60E3-010C-00000000D301}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459064Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.226{D694AEB8-109F-60E3-010C-00000000D301}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000404053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:04.646{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DB66941A5851346017529EF61C64E7,SHA256=2BE73A0CBF192CE40F21FBFA58C161A20D0946D77EC41EFEF689D518898D2400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459094Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:04.855{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A818CBB5DEF5072691BA1FE7C1D7B11,SHA256=563873CBDD6F55BC39BCC82F433B0381DCA6E4CF02676084997241B9F802816B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459093Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:04.555{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA14D45A3639E186605BB025082A48D6,SHA256=886C4B9445C2B555A85D9259A18C15FA8E131E36C643F245A31C8EC4745FDBA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459092Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:04.508{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-10A0-60E3-030C-00000000D301}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459091Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:04.508{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459090Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:04.508{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459089Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:04.508{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459088Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:04.508{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459087Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:04.508{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-10A0-60E3-030C-00000000D301}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459086Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:04.508{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-10A0-60E3-030C-00000000D301}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459085Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:04.509{D694AEB8-10A0-60E3-030C-00000000D301}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001459084Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:01.635{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63327-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001459083Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:04.024{D694AEB8-109F-60E3-020C-00000000D301}71166652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000404054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:05.662{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C1FFFDFCEAA693F64427E84E5CF9836,SHA256=1D5CA9F763340E1BD435F1476670D933BF2851CB130C9F1741BDF3435652D90A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459095Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:05.589{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74DCB690B2AC087A42B32C6B5A7AB77,SHA256=BA41A93627FB3AFE7BE6370147CD11C755878F1755EDBDDB2EDB09FFEA00B4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:06.662{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1562049163A8AB867D75C913E36D858B,SHA256=6BE1ACB0CD2D44456858570A51E21A4134FE3C290836E6401A67A7D0083C1489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459098Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:06.608{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCB815B36820D084CC2CF48C15B7BF8,SHA256=14FF0AA7E338699404D1B81CA02A973CAAAF82121BA625E53AD3BA33CBA42D5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459097Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.667{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63328-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001459096Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:03.667{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63328-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x8000000000000000404056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:07.662{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F430A0CC56DAC5537138FC4971C1BEB,SHA256=7A2EEC7190A651933F702425FF2EEED74D935ABEB3E10A5925FE8C2EC3563CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459113Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.638{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FA3B3B8191B19075E439F7ABD191F4,SHA256=F9191060DD9FAF2CB45CFCF69C53E70904E3327FEA5FCDBDF803D7078984018D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459112Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.438{D694AEB8-D134-60E2-1A04-00000000D301}46644616C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459111Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.438{D694AEB8-D134-60E2-1A04-00000000D301}46644616C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459110Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.438{D694AEB8-D134-60E2-1A04-00000000D301}46644616C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459109Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.423{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459108Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.423{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459107Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.423{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459106Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.423{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459105Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.307{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459104Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.307{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459103Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.307{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459102Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.307{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459101Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.307{D694AEB8-D131-60E2-0904-00000000D301}1716440C:\Windows\system32\csrss.exe{D694AEB8-10A3-60E3-040C-00000000D301}5632C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459100Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.307{D694AEB8-D134-60E2-1A04-00000000D301}46644516C:\Windows\Explorer.EXE{D694AEB8-10A3-60E3-040C-00000000D301}5632C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0|C:\Windows\System32\SHELL32.dll+16ad2e|C:\Windows\System32\SHELL32.dll+737a1|C:\Windows\System32\SHELL32.dll+76686|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x80000000000000001459099Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.317{D694AEB8-10A3-60E3-040C-00000000D301}5632C:\Program Files\Notepad++\notepad++.exe8.1Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\emu.bat"C:\Windows\system32\ATTACKRANGE\Administrator{D694AEB8-D133-60E2-3BFB-250000000000}0x25fb3b2HighMD5=83ED7E2F4AF02283339356225999FEF8,SHA256=28F962C80877E7ACA161E48C96B2B3FAAA349E09A7B0CB581AD82FF5973199DF,IMPHASH=7236FF60543B79832A91234BD0EDD2A0{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000404058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:08.724{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E4A695FC62541516757089EC46EABB,SHA256=9516DE78EA618C0B7741F33572D1A5D05D703A1D25967C0C89D0B4D41FD6CEE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459115Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:08.687{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ABC4D5AFA3967CD033526CE40358FC7,SHA256=3B0215E0B203085DFEF0C4BD714ECA1BB4956B6728F0D3AECCDB0D27146A265E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:06.265{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54293-false10.0.1.12-8000- 23542300x80000000000000001459114Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:08.322{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B68B3743C669D0162CC99AFEBA6144D5,SHA256=100865F2012C12A398845A5800FBAA8A136120C7B48F50ECAA33BC25369EC7B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459116Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:09.720{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88AA2856B4710A753050F1A07A87AA5,SHA256=160811B521897DF064FC0466951674AABA478F2055DA1513035C2983A02CBF88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:09.724{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C04459C52E8D01A6F6A9D8E32426F2,SHA256=5928023BA4B4F00F4AAAD5E60FD6243BE602EF46526DBEEA59830932EE06B769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459118Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:10.722{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0165DF7E9A2829004613A5E6F6755A0,SHA256=3D38F8C39486B3DE3AF6D08CB7E09A5A9D92278B1862DF42807926C8F8BE696B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:10.818{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657149FFE8FC7688AFCE5AEB1C7B728E,SHA256=32A32D67DDD761AA4F0A374B57A676EF33658CF4180EC5DADE6303BECFFD1C70,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459117Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:07.665{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63329-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000404061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:11.834{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FA5B33FF374915C9CEADF9441975AE,SHA256=E5955D7D6AC4D4AAE0660124B09E127117F8304BEA2012C5B1552A6A1317A252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459125Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:11.737{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E954782B0D0C8E3CD09EA5F1C200AEE8,SHA256=1A4D0A0A4549F95FE44B1AEA9CB38B47DDF7C4FA16C0CFF2DB03E7F5A9E66122,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459124Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:11.406{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459123Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:11.406{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459122Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:11.406{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459121Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:11.406{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459120Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:11.406{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001459119Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:11.069{D694AEB8-FCBE-60E2-8009-00000000D301}5812ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=BFBEE205A88D217F487237D86465C1F0,SHA256=49868C7403EEE7ED039A44230457D95FFF6DF84A5C927B3C55D95571A42C8114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:12.849{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA279133F3A8DA6EE1A99D5F72BC4FC,SHA256=DD8752EA760ED293AA24C9DFE63F9362F32376380D5BE327875001C0831E7726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459127Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:12.752{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50E31EF6542DF7D444A21EF97C8CDCA,SHA256=2A59A9A17573268DF7FCF477EC3CF629ED18ACD14BF22C6A4611F280CF9136C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459126Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:12.437{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF0A0FF14F535D638C24A7735C86FF68,SHA256=A6BBACC3DC0541CB3E84046D088C545EB5B8885611EE6F839D9580B0404C5C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404064Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:13.896{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDAF83DA374FD4710966FDF3228821D4,SHA256=8C3FB12D995211829A46A4D1316D2B23FD7B067973F1430E71FA61E6ED797CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459128Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:13.767{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FB4E32597FFE66FD8E5FFE47D6EADA,SHA256=38D6787B83F86025EB8AF758FA8A3FE5A8D7FA7402E33A3F00D0905FDAF4E84A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404063Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:12.281{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54294-false10.0.1.12-8000- 23542300x80000000000000001459129Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:14.767{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61FDCC6BCFBE92D7DE2AA77B9615D5F,SHA256=C59D794A7673CFB3649E58D408F39EA689BCBB49EC7445636939A8591820BD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404065Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:14.912{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BCA75D43427CA16AC6D4F5467166B4,SHA256=3215560905F36A09E7E5EAC793050E19D9A01288FF637675A2FD1BB14E28B549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404066Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:15.974{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C5693B88E7D3A6470E4B4F9056F63A,SHA256=6ABE6A5B4BE85C672F8B0FF200A61567D0DEF3A494E9FFEDCCDD447430376129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459131Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:15.819{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BEB991361AED60319CE5E6EC1E1D10A,SHA256=ABB69B1A4B1FABCC0A49456429C7AD6F9732AA1BCB4C1FE4054B37EB936DF295,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459130Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:13.679{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63330-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001459132Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:16.849{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20EC80EEDB65DC54CC449744CAAB8BB,SHA256=E296895EE51FD6AF92D5095BF26F7AE69E053E86A574B7D343B38EC3EDD2F16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459133Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:17.864{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2A3D9CA2306AC63597717FC3A75916,SHA256=6EAD0321C6CD82A9AD2EA66C5924922F9C83E8969757EDD7B36169E96EEFDB89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404070Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:15.645{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-56681-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000404069Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:17.240{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58C3628B8C1DC2218F63D13B107AE341,SHA256=38968B48DD263189FC09EC0F5EAEC0B96788776320ACE5D0A6445A5C7CD084C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404068Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:17.240{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD30389DCFC4585E0BC65D1589036CB9,SHA256=8457127C469A9EDC062DE0E093538DE3CE00154E8F354B8B85020FD675A90CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404067Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:17.177{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F6AFA5CEB4A94336195AEEE5118B6E,SHA256=594EC606F1025CCB7424FA7550DFB9B4571FC7114C256978F828CD3AE52462B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459135Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:18.900{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7201BEBFB1AC6AF2029EF3729CA4CF63,SHA256=3240805FECB511EA26EF3447D67E08D7981F65D4DE8EE7FE79DA6824F809347E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404071Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:18.177{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED22308F2854763B277AFDE2F196836F,SHA256=6DF5F7532C4F51694DDA168C71BF10536DEDDB46DDE276BC6B72E524F5012258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459134Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:18.080{D694AEB8-FCBE-60E2-8009-00000000D301}5812ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\emu.bat@2021-07-05_140111MD5=40B65469E7F3D4D39C36C6F23EE6C8ED,SHA256=D870EF1ADF7E00EB3EC1EED61108705A5A235780125FE54BF410EE7EF2DB7794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459140Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:19.980{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD429D8F8E1B35B1EF789A3F668979C2,SHA256=31922A838D49D9D5FEFF227B910ABDDDEBFDEFAC54AAB3197C289CA20296C946,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:18.281{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54295-false10.0.1.12-8000- 23542300x8000000000000000404072Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:19.224{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5243058B5131075FBB2211A4BADEFB3E,SHA256=77D444BF54355025D205C6DED8C381CA038A183EC211BC8451E74054FACA280F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459139Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:19.678{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a|C:\Program Files\Mozilla Firefox\xul.dll+2d8720f 10341000x80000000000000001459138Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:19.678{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 10341000x80000000000000001459137Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:19.562{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a 10341000x80000000000000001459136Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:19.562{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 23542300x8000000000000000404074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:20.224{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC4819FBE0B62E4FFC18429230D4874,SHA256=A69B4A54530FFBF8F4300835A3C19FC10611CB66696D1B36FD3E3FF597FDA12C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459142Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:19.642{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001459141Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:20.998{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AE03974EA0B1661A62BD2FC0165DDF,SHA256=63AB35B060C0A11D62B922ED43A4A05AB72FD3ADEAE9F2B598A7BC08AC98AFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:21.240{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2834B43D34DC51F89E5D3A0679EC0A0,SHA256=1D6D5A02AC20FE4C916FC09B9FE935A16D18B27C65C1B018105D82F7A2C5998E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:22.240{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B886ECE18D63FC312B647C0A3F5F33,SHA256=C4297387F68470A1371C51F952F16873D4F73C18EEE1601474126A2803D08D55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459144Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:22.228{D694AEB8-B3E8-60E2-0B00-00000000D301}6565444C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001459143Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:22.028{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672F79C199E8EDD99B023F0C462184EE,SHA256=5F3F4358E0ADFBC4F5566A82703AEC6F3C405E5F395F5515089D154810147BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:23.255{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4ED564D4390B27F1B1384135B56DF79,SHA256=B2BE7C0CE8D755335BE6E5F315C39E82CBE938DD9E841E706C76705D44533A27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459153Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:21.675{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63334-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001459152Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:21.674{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63334-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001459151Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:21.581{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local63333-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001459150Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:21.581{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63333-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001459149Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:21.574{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63332-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001459148Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:21.574{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63332-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 23542300x80000000000000001459147Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:23.180{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B00F00B1FC5BF2E70843B32C39AEFDB4,SHA256=47602B845E2993EECF7A5B43A4F6821C5A1BD9B021D8E2BD942FAA487C15A0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459146Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:23.180{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD1F33B206FDC0717C5C4C832747874C,SHA256=E9B594F88DCA1957E537E1D5A2FFA7DC2EC8BD0F23DD63C9B14FF03685BAD8A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459145Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:23.043{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC9C6A025B3CEC41E1CFF472C23979E,SHA256=8571EEE6186DF90F763925E42CF0003F8CFD8CE83C5D120F33EEC9CE1DD25A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:24.271{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28FAD84094EC4DDB3610269FB09E7AC,SHA256=8B83B9EE53AA86D16066C1A87A4CDC066405E5BCE17DCC0101912FB82722F6C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459162Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.811{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d8d317|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede 10341000x80000000000000001459161Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.811{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 23542300x80000000000000001459160Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.457{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=39FD46788B942A00A1DE9A9FC36C0F5F,SHA256=69E1065F7B52C69AD9784A58C58D7E9D8DF6C38542B528E74342441D5CF6E67D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459159Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.457{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=4A785220385350632EC1DB73C2F489CE,SHA256=60B728E6EDD351B97D546D50BAD90B9BE3764DCE961A961CDCCAA38FFE7A739A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459158Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.457{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=A5B25E50AF9CFD0F0249A1A98E8B49C8,SHA256=B1171960783DF14394F49EA181C320853712D0BA4EF1E1D5E1DF54AB4F72EE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459157Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.457{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=37E4916CCFE35166F052AAFDEF704545,SHA256=1BF3D33085CBCDFBBAC602930BEAE22517AC7B918B28932080D4C50D52B27F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459156Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.457{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=E50DD860DEFCC71330BC239A51260054,SHA256=96C34B001D654158013E59304E33DD2BF2ADF99EE9EC98B6C091296B391D01C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459155Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.457{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=60B09D7C783A5972E8A4E481AE13D869,SHA256=E1ECC8EB23387A9FDAC6E7ED6B071FC0CFA8CB9520C94F952C52BFFD17F07CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459154Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF4D71813DD935669BECF7F131AB091,SHA256=247BF660DC162B478A3A985E7A1CE9D9DE42194E5DFB169B2902A8EDCA928C76,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001459167Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 14:01:25.180{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001459166Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 14:01:25.180{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001459165Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 14:01:25.180{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 23542300x80000000000000001459164Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:25.096{D694AEB8-FCBE-60E2-8009-00000000D301}5812ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\emu.bat@2021-07-05_140111MD5=E70EB576188A05F33AC6649905B15587,SHA256=17CCC696F59FA7586E7CED32EDC67FDE41EA7485AE0D88D1566E62C2C8717DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459163Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:25.058{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608B389A9704BAF4D2C97AEC782C1D85,SHA256=15AC86D1066D88707D060548E2FA598906F67B520D306839B72AF4314D769CD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:24.267{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54296-false10.0.1.12-8000- 23542300x8000000000000000404079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:25.287{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DE4B3DA1907D9AECC97A94F66F7E34,SHA256=E2B208CD0562E35B9FF09F5EDCB213EDBEAD8634FC2DFF42BE533B9EFC11EF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:26.459{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A370E05E104FA8BD0D68CB92830DD85D,SHA256=C223F2E1964B4A7207F626289BD085AB6C187D33C67668464C0086D5F241435E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:26.287{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07DCE30A045374A9B7664A95B39D9EC,SHA256=8CBDA7727E48F6875E490B879E4037B9BA9D204244DE766D153DDDA5709C543B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459175Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.641{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63337-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001459174Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.641{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63337-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001459173Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.631{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63336-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001459172Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.631{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63336-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001459171Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.618{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63335-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001459170Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:24.618{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local63335-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001459169Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:26.195{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B00F00B1FC5BF2E70843B32C39AEFDB4,SHA256=47602B845E2993EECF7A5B43A4F6821C5A1BD9B021D8E2BD942FAA487C15A0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459168Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:26.076{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C9136A30A50E2FB5F7C85F514A2F52,SHA256=ECF7271AC56B2523564B763199F77266566D78F3164B44653363B471FE111D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:27.427{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA71A33E69B7BD00A26CD04F254FCC2,SHA256=5F4D1321248056E145452393893907B6EAA6FD3DED87A029888D1C47FE37602D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459177Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:25.654{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001459176Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:27.081{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F372BE9561C8D079B297810B460277C,SHA256=00C57BCE870794374DE376E2C98F4257C6E014251569F4A0B92775279E88C584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:28.427{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D980CA12856797D60D2EF890D62224,SHA256=CE2DEED27DBE27726BB39DAF6EB90D975181974CED1767A521147CEE90C952BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459178Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:28.098{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11384B69C43FE2346918496847C1FD43,SHA256=3EFC65C861228D07085DA84CE57148564D5E5CB8851864C4B3F1271A2EEAED6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:29.490{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2831D52F53145C7E9D3E775AA19C1B,SHA256=43AE78F05CAE1822832C2F968ED31A8668131ED49FDD8893557D2B71B692EBDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459183Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:29.949{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=0CE64EAD6841DB81F2A3FA4DEC8EE094,SHA256=A7BBF28B4E59F05E7D84E71D77BF1FF57DF891E4CB09003EB367EF86857D8ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459182Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:29.949{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459181Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:29.934{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=0BFE1B2DE68116D4B3D50EF2BEBBA16C,SHA256=2B4DA2478BD6922C7C6CEA7B4AA756FE2D3915DA528A8B2E75A654E9219C7CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459180Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:29.897{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459179Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:29.128{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A9926957348FA9515D0674D4212AC3,SHA256=4D818648682513D97B8A9A0EE7BA390D7F62D0119E1B317C571DC6FAB98EA6F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:30.490{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C182584CEA02DC68D76ABAFAC99B901,SHA256=706F2DE53814459F95D4A3CD3043CF0F6E390257751FE0AE58F235E9206F0176,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459236Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:28.250{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local63339-false142.250.184.234fra24s12-in-f10.1e100.net443https 354300x80000000000000001459235Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:28.248{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60082- 354300x80000000000000001459234Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:28.246{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62325- 23542300x80000000000000001459233Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.697{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459232Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.451{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E23B0E7F050A39485B23A05068E026,SHA256=1918FE9BF63365BCAAE62720A46E4A37B9CD8053D096DA3E22CA078ECA73FAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459231Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.182{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=4389884605AD56EC50BF27FBD4CFB473,SHA256=60B552CBA048738FE850BA958CDDF9B742B6FAA7519F455D4B39437734725990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459230Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.167{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=3F92B621E1581AD764BE2EC57381AF23,SHA256=18FBBA6D350213F61DF718195FD2B38A3B8344D0A5C22C2713E6F8944E9A9DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459229Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.167{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=8D76E0D31A687AE5A730C71C052C68E8,SHA256=6747A2FB92023CBF27E345AAC38B2BA7695A7DC5E9A42BD793D0CF6DAEAED260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459228Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.167{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=DC7308A91A03C92D7329F37F15C7AC82,SHA256=180DDE904FFF036ABD4045A52850200ACA369E4577E14E0675E5298855A6AA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459227Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.167{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=54971F1ADD787A9676F9DEFAB4C7FE3F,SHA256=FD890E3920CDFB62C1089C6119A8F8B713F81BDDAF7BEC925AFB4BDFB32AF5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459226Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.167{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=0A19E4A237D65FF069452EF5201F217E,SHA256=AC5D43328F28E2B1159D014197F58D987C2AB78C9179DCD924524353571FA604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459225Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.167{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=D95F203FEE1C8FAE222EF4C6D410971B,SHA256=1CA57763647104AEF83C8A86E8366FBBEE4BAA88C900C7AF66F437720319CEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459224Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.167{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=C0FE3CB314FDF424A4D4F1DE2801A4DF,SHA256=C4CA8CE5B3B8D038E3348887BDA7634D1949325BB95A68D17184D2A99F37E810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459223Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.167{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=8F1AF05E946BCD9711A1CDE1B1ED6C95,SHA256=0F5C8864E17307F3C8CE1D35AC4770D0C1C34F8CDB3FC7404F2114B4E0FD93BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459222Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.167{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=B91E9842F81EE5668B68C0B5B561010A,SHA256=19F7DFB5FC8E587C8D48DC8A779B07E1C11CCD772A7B68025146FF0A335B54CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459221Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.167{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459220Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.167{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459219Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.167{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=B98AFDBC82C65E5ED9671127E358CC52,SHA256=98373A36DAEFB30B2DE3616B12FF8B0694EDC8FDA4E6BF4825F3CC04E06289B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459218Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.151{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=86A92D99AF9863F13F1A9984DCAD894C,SHA256=059CF583BD87AAE3B6B77F4A41B045C3C2C04F5D967F9564AE1D65C5CD253642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459217Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.151{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=52D70935E17F70A266DDA90945797795,SHA256=D5B692DCA16CF1CAEEB0D1287D78D7B8B59B249942079EC6F347A0895DA91B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459216Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.098{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=0BFE1B2DE68116D4B3D50EF2BEBBA16C,SHA256=2B4DA2478BD6922C7C6CEA7B4AA756FE2D3915DA528A8B2E75A654E9219C7CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459215Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.098{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=88F552B8009DE93BC2F94CC224E1009F,SHA256=52E34FBBC7D8FDCDE628DBD2746D5341EF157F1DBF04F5AD6288C63184D53213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459214Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.098{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=0CE64EAD6841DB81F2A3FA4DEC8EE094,SHA256=A7BBF28B4E59F05E7D84E71D77BF1FF57DF891E4CB09003EB367EF86857D8ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459213Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.098{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459212Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.098{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=74340326CDB97A696E8E3A4B9CEA6BC0,SHA256=6DFF35E885CCF75F9D753991316ECC857A4B750245AFD0335D9D100C27B0234B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459211Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.098{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=9556A1E92096F35BA9C9360F8A651A46,SHA256=91427533E2E8641A98C9092D2447D0C44D789BF2D62D1AB6BFF5797EFD2DE358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459210Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.082{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=9236FAF32CB389DC7977154A56AD6896,SHA256=40D2DE1E98B4129A6493156BD048407BF4C8AD819621AFAF57783C9B88607430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459209Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.082{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459208Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5A35E65CADA1885B6796D1B3FE56E5F8,SHA256=35A1BF0FF6DD2B70DA5F89611891D413808DDE1510D03D788FF48A214AFA7CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459207Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459206Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459205Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459204Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459203Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459202Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459201Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=E72E6B0165636DAE364CC43097FCD4E9,SHA256=3FE594D286D351B102E94676FD8A91B8FA0B3FDDD151336DDCE8C9BA2CFCFB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459200Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=318288F5909637E0C3285C0942D72FF4,SHA256=F2BB9D40F7237C0E6D8EA96DFA2E864BD1264EB191C52BDBF16488D9466BC300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459199Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459198Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459197Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459196Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459195Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=F7A173C65979416711FAFF47FADFBB44,SHA256=7F018CC32CF471750B6C5322E27E4F1C38097C414E7C6DC6AF9CF31E607431A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459194Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=5C71167AC9642FCF7752093F77FBBC89,SHA256=6714F7FBADCCB013DA1D8ECEFA6368A7D193E1F2460477F8AC304EDCF8637AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459193Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.066{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=BFED06667174B0D03EE7F88A3DDC9A8C,SHA256=7AE5584755089D28C3A52DCF1EB86E62D4F2E377D61A7D549C6D4EBD53F39B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459192Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.051{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E6AAB64DC2799B4ECC6A6D18F86BD283,SHA256=D72FA31B50E9164371C5B7A3CCA257B99CE12D900FB07DEF942361D76299F5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459191Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.051{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=16E5F327975AC215E9EFA4A4FC5262F5,SHA256=4698D628493E91E42494C8343B7E6469DFC1BFB1F771258C2FB556E84EF314B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459190Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.051{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=C3757E7620737B3B6500073B370852FE,SHA256=34B07244F673343E9AC1C775B455C0A60AA95439E83A70B0C6A24E504A88F4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459189Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.051{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459188Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.051{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459187Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.051{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=8D9E3EEEE577DCE4B0062413A081F9F2,SHA256=D0E3356B67A0BB9BD101D87FA6E23EC2699CC8A25564CD88076663DACF73A9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459186Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.051{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=2CC22CF356532158115AB8A0851A9A80,SHA256=6B106FD00C6E27909C9779448E5BDA5FFB96FE2A6FF42636A662AB411D9906DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459185Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.035{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=9236FAF32CB389DC7977154A56AD6896,SHA256=40D2DE1E98B4129A6493156BD048407BF4C8AD819621AFAF57783C9B88607430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459184Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.035{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:31.818{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:30.266{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54297-false10.0.1.12-8000- 23542300x8000000000000000404087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:31.490{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE10C9F754A9B11174A739C3AFF9768,SHA256=7552B4E9888BA7D4871992DDBCF563E4A169DAA35DA4A14EA9DC3BCE9035D1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459238Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:31.250{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459237Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:31.181{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E956E2AB79B8858A1477E986EEB5C8,SHA256=A95E7C42FE0887E16DE75AAE0152CEC1813E35036A9E843701D29D096E1165AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:32.490{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8CB18FB30C11374D3738CD2E2E6C0B,SHA256=B82FCB88B9E808BE9D9137040F628C9D6DE22287415F0B8D8A6F29698A636C9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459242Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:30.674{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001459241Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:29.972{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local57000- 23542300x80000000000000001459240Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:32.211{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD14F8A216C726AD5A4A7A1B1054851,SHA256=0107BCEF8E098804278D49D4FF9339ECAA0541BFE8EB893ED82230390FB8248F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459239Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:32.111{D694AEB8-FCBE-60E2-8009-00000000D301}5812ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\emu.bat@2021-07-05_140111MD5=05D2D24BD50BB31AA447AAA2A39BE2F0,SHA256=44A9F40D2EEEAF76779DEEBEE14ADFCD77EEDFE0E54DDF978C6E717494F13F4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:32.032{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54298-false10.0.1.12-8089- 23542300x8000000000000000404091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:33.490{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B8688B9411AB09866756DD60A0E5C6,SHA256=7015831FAD36032E73B9719CDCA41A51CE1BD89685234D7DAEBA3024FF668CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459243Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:33.229{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88801B2E4208C802F67AB1CC184F8109,SHA256=0E07582C1322C888C3B7D9BFCB50E0EB0567CF1258984CCD4E18F4932EFF722F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404106Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.490{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B1135E3A16B1231B39DAF6F48F8470,SHA256=93CC4BA38303C7ACEA3181906789B82796824E5F027246A5BBEF02E76C3F140B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459248Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:31.623{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001459247Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:34.247{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D24522D562B395A6D79E0E996997D7,SHA256=2876E61AB74302E6527AF7AB6F96412E301F8211C77B93A53EC97C99747A4783,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404105Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.474{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-10BE-60E3-6B0B-00000000D401}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.474{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-10BE-60E3-6B0B-00000000D401}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.474{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-10BE-60E3-6B0B-00000000D401}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:34.475{7F1C7D0B-10BE-60E3-6B0B-00000000D401}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001459246Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:34.226{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B5EC058F60F1DA611F7AFCF7C1463997,SHA256=AF1E37F40067AFBC84A7005BB9A61BB344D0AF7FE8371AA3499C8C249C2C2029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459245Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:34.031{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF248C18855A878FD5A384378C0EB177,SHA256=33ADA39C68CFD9F8BB1DC0DF05E82B61965AE05E8CBB5E18875DDDC639653C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459244Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:34.029{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F192583450EB1404B19F06DD3B15D972,SHA256=F4A49A066A60CB8E56C86D02C8DE913EB9BC455E113304C6B5A61387826E2EBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.849{7F1C7D0B-10BF-60E3-6D0B-00000000D401}17602812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.646{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-10BF-60E3-6D0B-00000000D401}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.646{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.646{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.646{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.646{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.646{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.646{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.646{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.646{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.646{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.646{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-10BF-60E3-6D0B-00000000D401}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.646{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-10BF-60E3-6D0B-00000000D401}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.647{7F1C7D0B-10BF-60E3-6D0B-00000000D401}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000404122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.505{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4DEDD6609E9413C35CDD38AF27A1CC,SHA256=B4E85219926AE3C18EEEBC3554441AA2F46F4E762C3DD47AC4DBF9265493FACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.505{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E852AAC224B22F8F8F87D8ABB1C0C77A,SHA256=9DB976547CAA9A0D93C1844C4C83A2D71449E6E7018BE7DBD876EEF2658C8EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.505{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58C3628B8C1DC2218F63D13B107AE341,SHA256=38968B48DD263189FC09EC0F5EAEC0B96788776320ACE5D0A6445A5C7CD084C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459255Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:35.461{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=8450142B8750536A7CD7528279798D09,SHA256=FDAEDC0D6954AE1AB5B993B1C107DD4112767E5306AF84C42899FBFE7E415600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459254Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:35.461{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=ECBDD749B609D22C381D86FD05649F58,SHA256=75EAF935357D93D0C9F56A48B27462D625959C5BA19DBF6C4B2499ACD38CB2C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459253Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:35.461{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=D20AFD1D4B128E97285AAEF0E2C9DEE4,SHA256=6772AD1A9D9F506988E6CCA46E01D719C90C3523AEB506BD407A7A2B0091D597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459252Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:35.461{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=53862A99A803A812FFB6D2E946F79DFB,SHA256=BFC2B6B44E3897088B60007B47BE240C658504A0CB6F78F2AD4674FCB70F840A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459251Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:35.461{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=23E654AD059B8CE571BDD1451830D8E8,SHA256=002A4C7C73ACFA698D429F75FD56550BE2C02C3A27AD0FB62E2980E59DBDE1F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459250Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:35.461{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=40E392AE88899B701625C6E0AE001043,SHA256=EAA9397E71F309A4BBB16C4C896A88AE9C385369701E0259BEA16C5ADEBAB403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459249Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:35.262{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46D9B5D854482E974545A836A360B90,SHA256=70EE47DFDB551F5DEC8B1346E8A7CF9FC0E043CCD060BE5DE794676BCCA83799,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.146{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-10BF-60E3-6C0B-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.146{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.146{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.146{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.146{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404114Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.146{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404113Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.146{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404112Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.146{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404111Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.146{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404110Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.146{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404109Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.146{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-10BF-60E3-6C0B-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404108Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.146{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-10BF-60E3-6C0B-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404107Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.147{7F1C7D0B-10BF-60E3-6C0B-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000404138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:36.802{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E852AAC224B22F8F8F87D8ABB1C0C77A,SHA256=9DB976547CAA9A0D93C1844C4C83A2D71449E6E7018BE7DBD876EEF2658C8EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:36.568{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3A05912E8D1608B2E7D6A345F86DEE,SHA256=1EBFD6054840F90F17367EC53AC9F2EAF2051DFD6D9ED0EF2AF5E166BD5D026A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459256Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:36.276{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F56275C8E8A7D83784494438B77809C,SHA256=5E6FDE481484110A0081F3D48438DA9E1C32E2C35EE15025946819D3DDC97F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:37.630{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A1B44FA209F7DA7E758D351A1BB6D6,SHA256=4425D4F2E2F001303FCC654B1642497E386B69AE5C7B6033DD1F6D38764B7E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459257Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:37.291{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67DB42BC174479563019A3F8817D3E5C,SHA256=B608CBC83297499ABDD1B2048C8D8D565FA75465C88A19125FF6FB59D0B3A70B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:35.469{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54299-false10.0.1.12-8000- 23542300x8000000000000000404141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:38.630{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89C2759F31B897D55B27F66D7F82C26,SHA256=8844FEAEAE19E5F52254B8CBFBC2E22DDFE31682196DA0CDBB3AD20848E6DD52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459258Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:38.305{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A670A232262ACED1AE1F978AD534F4,SHA256=9060269B5B916BDA72DAAAD04044A88349FA63840F3B1C89779E6DEC9B47B2F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.787{7F1C7D0B-10C3-60E3-6F0B-00000000D401}10083128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000404169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.709{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDA4BACEE3104BB4A978FE597B7D7C4,SHA256=BFBEBB081C40FA9F4FD0DC4B2A04263CF57BA947F1E9D55C391B0928C9D9EB2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459259Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:39.323{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58724BC27C313E4C40BE031AFC6C00A8,SHA256=F602BEF43DA7A85DE776007E394766168ACDBB8C189AA0C1CF2F370F6026B4AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.584{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-10C3-60E3-6F0B-00000000D401}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.584{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.584{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.584{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.584{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.584{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.584{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.584{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.584{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.584{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.584{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-10C3-60E3-6F0B-00000000D401}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.584{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-10C3-60E3-6F0B-00000000D401}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.584{7F1C7D0B-10C3-60E3-6F0B-00000000D401}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000404155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.318{7F1C7D0B-10C3-60E3-6E0B-00000000D401}3868652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.084{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-10C3-60E3-6E0B-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.084{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-10C3-60E3-6E0B-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.084{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-10C3-60E3-6E0B-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:39.084{7F1C7D0B-10C3-60E3-6E0B-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001459261Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:40.340{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1297864FE11F1E977A9FF5E9F1EAB4B,SHA256=533D4C6ED3B37AD38D4D258843D3EEC682D8ABDDFE78593CB3872DFC5B33070F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.755{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-10C4-60E3-710B-00000000D401}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.755{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.755{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.755{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.755{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.755{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.755{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.755{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.755{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.755{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-10C4-60E3-710B-00000000D401}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.755{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404187Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.755{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-10C4-60E3-710B-00000000D401}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404186Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.756{7F1C7D0B-10C4-60E3-710B-00000000D401}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000404185Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.552{7F1C7D0B-10C4-60E3-700B-00000000D401}38083668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000404184Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.318{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84373834E4F6A7CBF03AE81371680062,SHA256=E2A81A7FA4309D9DC9ADE30B4686A457C2AA6D485D28FCD22EE224DD95AE2EEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404183Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.255{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-10C4-60E3-700B-00000000D401}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404182Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.255{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404181Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.255{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404180Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.255{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404179Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.255{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404178Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.255{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.255{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.255{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.255{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.255{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.255{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-10C4-60E3-700B-00000000D401}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.255{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-10C4-60E3-700B-00000000D401}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.256{7F1C7D0B-10C4-60E3-700B-00000000D401}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001459260Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:37.632{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000404201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:41.818{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADD33FB4894A69DE1D7D2667EF0FD923,SHA256=C2524078FD9152234B10740FD2863770A365E13065F85847BE7032E98E251AF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:40.469{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54300-false10.0.1.12-8000- 23542300x8000000000000000404199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:41.474{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27699316B209C36753C0F77BB3E18D52,SHA256=DDBA2F0D0B61A90D2B4D0A9F602BB090AFAEBB86400C3CA5379DF0C52DF6EF87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459262Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:41.354{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21502340193778A7919BDF3CC2846665,SHA256=87E6165E6CBD16BA4074173B355BC724BDE711D8550BBF35835D28ADD08FB333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:42.505{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF74F8AC48FA463E7DC44E49BF6CDAAD,SHA256=CD97AFEDF6CB3935263AE2E0616B99A126F86B383FA86FC2517C9940BCBB9810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459263Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:42.369{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A030053526425D565F1BE5CD1C4DF8B,SHA256=166BF3F9F2A9FC4C7AAAB6CFF0ED1162EB8E5B0883861115B15B9CFB0E34499F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:43.505{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959D5CEB80DA02BA16355B963BDCD2B5,SHA256=F49C78442D222CD93073FB8545D1E5D48DC89E4561AE2A00157E9225E90159D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459264Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:43.383{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717499CA425C42156F76909BE04422CD,SHA256=230B6F77916ECE62AF9325FF3CC810E00100C801E9B59A4C0EEE3D387DE6428F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:44.506{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6E978E58F910CE1C335A1163DF4444,SHA256=12DB375E61EB563AD252E6BC063D8B92FF781002227FA3CE72352686694E8B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459265Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:44.398{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F8974233D29E4D1901BF16C1358842,SHA256=38154C6769775ECC22323517BF755A89D2CBDCAFACD6DB077F8F3110A514191A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:45.521{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3279C8F0F06B0C9C4E68517D8D1B4A6,SHA256=3E45B08073FF7E8FC2B2BC4EB503C370E176A1B7A1C84F2EBD756F0E53B328B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459266Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:45.415{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B4698C201F30167D69A637B84D54C4,SHA256=521FC5C56531A3B30555724DC7B1D3D9C9CCD0144F56170D20C852A1D1C554B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459269Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:46.436{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929414BF8B33BEB1A305D67E80434926,SHA256=4964FCEB739D70AF1C2893DCFDF9A112427A776743D0705256E75D50F90053A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:45.485{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54301-false10.0.1.12-8000- 23542300x8000000000000000404206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:46.521{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BF6C4300AFE02FEEE91B7DD58F6977,SHA256=0C7346BE2396B76F19AA4B0660455E298B8D40C4FA150CF3A8DB0E5B30DCF095,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459268Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:43.625{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001459267Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:46.137{D694AEB8-FCBE-60E2-8009-00000000D301}5812ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\emu.bat@2021-07-05_140111MD5=DBEC67DC36FBC5CB2354C1E5BF551EEF,SHA256=A3C99D3549AA6CDB9B051BD0CA2CFF4B9B84312F5C8540DD14EA7FBBB1B91404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:47.521{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83171771C8A66FA92899CE81A363489B,SHA256=077598FC71BECCDF1598420832C39C46A5A00B674A8006CE3A4E087C1277B39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459270Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:47.451{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC49BC874B90E4293F293F0F3AA24F54,SHA256=FDE3A0B50193BA521BE11670DE80F65F6FF367BBD5D99E240888E9A34FC83240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:48.521{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5F5DDD0332716A7AC03C1B62A7616C,SHA256=3794F4F1A35235351D088EB797F489F89242D319E2C59405E9B08126E060159B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459271Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:48.465{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C38433B079B0080DEA6B1B1A4B393E,SHA256=062EC498E38325FCDFF6B317CE09BA4B78406BF542A4C898EB42A1C34ED9A9AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459272Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:49.513{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADB989BF6DD74B419E59FAC17CB5A1E,SHA256=E573FFDC94E437B8EC8E0AF12B18CC3E4BC79A767C1FC84C65F0D44C82F108A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:49.521{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3034405631F98BD9888263D890BD9D59,SHA256=B32C2471494A0CE6BBEE01BD679AA1133CD3EB1F5EFDC56164ABEA9FCC2D616D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459273Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:50.533{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5016DD3EF669F2208FEA198FC773DEC8,SHA256=DF74B43C23064CF1E143B154F39A03B28FAEEB80A3286D375A48C516300B9C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:50.521{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5CAFA2F8E36F9E3064CC37F756A61C,SHA256=69B77DB96636291F801C773B3D35C850D0851D292AFA050D3E3456BAF4A53DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:51.521{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F3FD1651ACD31F35F1E5E825FC7E05,SHA256=0B15C8B5D09F22BA7B5DA6B2DF2C05EDDAB79C0A34BF182EF5223026F11FA358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459274Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:51.547{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1965D3144B720E63AA7ACBF2006C5EEF,SHA256=C4B852F22EAD6C373AEDBCB4AF50663B3671EAA16AEB9B83EF1C245FC302963C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404214Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:51.250{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54302-false10.0.1.12-8000- 23542300x8000000000000000404213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:52.568{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D3C2B8833D107B821B18761C7F97D4,SHA256=FF845DF8A0DC48CFBBA1376E96E564AB974EC15F09EB3FBF88110DB0F9B8B9CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459276Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:52.562{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0D875781A8CA606C290574139F3EFE,SHA256=7C2E2061D0CDE9D9B751A14F2615314D3054A1C9307AC16443A11100358BAF63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459275Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:49.654{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63344-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000404215Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:53.693{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D052D12B12F14C29BD3F7F5986AC87,SHA256=F1F4DF8BCB8B54BBED1B8AD83ABAC39EB830F6A84324497FB79A9E60C5E57FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459280Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:53.576{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BBD523B1C684CACFB4A113310428BA,SHA256=98DAE1D0BBED628D53B60FCFB810D3C3CE26043E57237F7A10D7C46503B991F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459279Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:53.092{D694AEB8-FCBE-60E2-8009-00000000D301}5812ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\emu.bat@2021-07-05_140111MD5=9B758FAF0A3A4D69725C495800E7A5C6,SHA256=DC0D556511C48B43A70D8F55A17BB8B79C0D6BFDF3F4EFAE9146BDFE685D981F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001459278Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:53.092{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exeC:\Temp\emu.bat2021-07-05 14:00:58.311 23542300x80000000000000001459277Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:53.077{D694AEB8-FCBE-60E2-8009-00000000D301}5812ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\emu.batMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459281Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:54.591{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272BE1ADC3688F1A77EC5A467705CA64,SHA256=5E22F198B793EADA6347D8004B411C1FB14AF252985C1CE15047DCA42BB93FEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404216Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:54.740{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8D24D19C8EADEC5337E535167FD131,SHA256=80C1C71B50FCB4FFEB12ED0CB1522BD64A8760A7DBC8AAE1418AB7348D30ACDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:55.608{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534CD4DE35B4AFC98833994E42663F19,SHA256=2E34B1AF606433AC921D2B5E5A40C3AD31DAAE8981AD00F851923CCDAE1E5EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404219Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:55.756{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D134EE75B25AEC7F33AC57312A2D3C,SHA256=CE80D1237D99686637BB46202B4446E41136D1B75F2539163845BF42289FE6AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404218Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:55.380{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D26231839A1DE81CC75322C32E6F9F0,SHA256=744BC23C1D4D81189DE3599CD2D5DE64F32C462A447E9FC2DA4D9E3424165A64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404217Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:55.380{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23FCB63410467724BD30BB977406FB11,SHA256=1B02B3D09359A4334AC87A0FD9F492770536EFBCC5226F9C47AA2576606B7107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404221Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:56.818{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB97934D6B97249C56EF192E7283584,SHA256=FE429426BDE742C49948AFC7E3314B8C4D9B5B67AE54B765ACCCDFD6C29C2666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:56.626{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA51E7E49D28F4E47CDFE127544D321,SHA256=1FF92D787E50F0F5CD5F8BA5CE9BFE8EA41AE7FC508FBFC59E3C14FF2ABC96C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404220Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:53.961{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-62286-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000404223Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:57.818{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017429797C76E4B36A6718BA5A920DB8,SHA256=7F49C11EA3670F5ED9EE563B59DC36A0C38052784C3F334E235F0C1C2FC76DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:57.640{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44185E54B7934F4DD4BBA410831EE18,SHA256=B9C5A6B35F14220CA2B5FC59DFDB4B1DF96A0EA868DAFF3C675FBA16E5B9D03F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404222Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:56.469{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54303-false10.0.1.12-8000- 354300x80000000000000001459284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:55.616{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001459294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:58.823{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-10D6-60E3-060C-00000000D301}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:58.823{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:58.823{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:58.823{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:58.823{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:58.823{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-10D6-60E3-060C-00000000D301}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:58.823{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-10D6-60E3-060C-00000000D301}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:58.825{D694AEB8-10D6-60E3-060C-00000000D301}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001459286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:58.671{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6342E153A3328C39FEE80DF1D4DF9D7,SHA256=343FF4688409FDBCA271A16F1F919C2ABFFD1A407DDCAE0931F047DF2A1E33D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:58.818{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C2727E5F7BA5D00AE8C429ADB8333E,SHA256=C4511076808F07F38A1C35A2824A983EE9E1F589CE9310CBFF7674970336FC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:59.854{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A71FC8CCD0789FA7D89F6BA18344918,SHA256=6DE18973570893AD416AB3C5EF266A438D4B768DE4B31D68138F2FCDF4E42075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:59.854{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF248C18855A878FD5A384378C0EB177,SHA256=33ADA39C68CFD9F8BB1DC0DF05E82B61965AE05E8CBB5E18875DDDC639653C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:59.685{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24721BF8359DB2E5AA3628B72F25804,SHA256=A375BA319B8379A6CE02D63472E2B6D9DD84E37E9AEE860D1D49B2CF99977436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:01:59.834{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4C99496A3CDD97399AF59ED66FC528,SHA256=33FAB612ADF6F296227BFC13CA26463F67C166F72F4088972AB36F9EDE51CF46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:59.506{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-10D7-60E3-070C-00000000D301}6368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:59.504{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:59.504{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:59.504{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:59.504{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:59.504{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-10D7-60E3-070C-00000000D301}6368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:59.503{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-10D7-60E3-070C-00000000D301}6368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:59.502{D694AEB8-10D7-60E3-070C-00000000D301}6368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001459295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:01:59.008{D694AEB8-10D6-60E3-060C-00000000D301}63602440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000404226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:00.932{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08112F115FF47D6FEAFAEFCD025F936,SHA256=4D73A78D83CFBAE71E5792347125A043CCF085AF9C57671D79519A3A3A6DD401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:00.709{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704D3476B26F706431AE2E176AA243FB,SHA256=F19DD754805E3D98046797EE3B316B2CB0380BEC777C718C4144B1B4B99A95BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:00.172{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-10D8-60E3-080C-00000000D301}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:00.172{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:00.172{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:00.172{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:00.172{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:00.172{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-10D8-60E3-080C-00000000D301}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:00.172{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-10D8-60E3-080C-00000000D301}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:00.173{D694AEB8-10D8-60E3-080C-00000000D301}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000404227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:01.935{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E61FE0CA3A38E7CF7EEDC3ED7F2320,SHA256=F55571101F530AD47317F48AB5753BA2DCFBFAC4AB722377D0ADE716D70957E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:01.725{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5CBD8DFAC60D3F34A9C8B2A67A7F89,SHA256=277F0C6AAECD77F4DF5659EBC98FAF4218F354E32A561323366DE4A1F0927F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:01.187{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A71FC8CCD0789FA7D89F6BA18344918,SHA256=6DE18973570893AD416AB3C5EF266A438D4B768DE4B31D68138F2FCDF4E42075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:02.943{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60CAED5AC1EE9BC1EAB241557314049,SHA256=13C1762B128D76F58D9075CDA1262D0F0CC879BA103F96840ADF7B14C7CB098D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:02.786{D694AEB8-10DA-60E3-090C-00000000D301}67524088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001459329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:02.739{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328186DB944AC91DC2E12B23127DB378,SHA256=F842339E6C57CB9F83C0655FCFC1F3805CC79BA2993551A7D64C790FE8CED626,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:02.624{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-10DA-60E3-090C-00000000D301}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:02.624{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:02.624{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:02.624{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:02.624{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:02.624{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-10DA-60E3-090C-00000000D301}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:02.624{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-10DA-60E3-090C-00000000D301}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:02.625{D694AEB8-10DA-60E3-090C-00000000D301}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001459320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:00.630{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63346-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x80000000000000001459319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:02.540{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\AlternateServices.txt2021-06-30 11:32:16.512 23542300x80000000000000001459318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:02.540{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\AlternateServices.txtMD5=43E4FF7B828F20DADD31F90AB3255ED4,SHA256=1EB638CC7320D3E66429457FA1CE72491766B201EBFD9DF0CBCD620BC5DC6BAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.972{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-10DB-60E3-0B0C-00000000D301}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.972{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.972{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.972{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.972{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.972{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-10DB-60E3-0B0C-00000000D301}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.972{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-10DB-60E3-0B0C-00000000D301}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.973{D694AEB8-10DB-60E3-0B0C-00000000D301}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001459341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.754{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE9EEF9C86E8325CAD07B187035B91B,SHA256=6721B0C563721B7F2060292F20E9222ABDCDDED4F79D1FD80128F4EEC70F3102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:03.943{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDAB072228F7AC7554355CD5CC4899D1,SHA256=C3D2D4D2882BE919F21FB45C2D2AA8B31DD697C900BCD8C2F913EF19FACFBA41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:02.461{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54304-false10.0.1.12-8000- 23542300x80000000000000001459340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.638{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D03DB1A91BA396967F2AF69E966F76B4,SHA256=1E31084574F49ED8D38B359AB11128880864D4D71E0973B1136885A16124164A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.454{D694AEB8-10DB-60E3-0A0C-00000000D301}63924376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.306{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-10DB-60E3-0A0C-00000000D301}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.304{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.304{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.304{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.304{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.304{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-10DB-60E3-0A0C-00000000D301}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.304{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-10DB-60E3-0A0C-00000000D301}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.302{D694AEB8-10DB-60E3-0A0C-00000000D301}6392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000404231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:04.943{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0458E0A699607E3FE7CCDA23AE48862,SHA256=4897A102208A6BE7B127AA39D522E461D926C267F510C8E8B57570C2E46B1FAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.821{D694AEB8-10DC-60E3-0C0C-00000000D301}68646336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001459358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.768{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907DF511534C442D896271B8C97774D2,SHA256=FCB3F2E0E1F524D3BDFB3D89678B77C7C09BE4612BC0F950E1EB092C4FCEFE1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.653{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-10DC-60E3-0C0C-00000000D301}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.653{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.653{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.653{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.653{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.653{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-10DC-60E3-0C0C-00000000D301}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.653{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-10DC-60E3-0C0C-00000000D301}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.654{D694AEB8-10DC-60E3-0C0C-00000000D301}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000404232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:05.943{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196AE31F10390F1950CB9F6CD726DE2F,SHA256=8F64FB5B743EBE6A5E464FD4657D81183BFEA687DA76C032A9573D0B04E28E21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.982{D694AEB8-D133-60E2-1404-00000000D301}42124344C:\Windows\system32\taskhostw.exe{D694AEB8-10DD-60E3-0E0C-00000000D301}2356C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.982{D694AEB8-D134-60E2-1A04-00000000D301}46644740C:\Windows\Explorer.EXE{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.982{D694AEB8-D134-60E2-1A04-00000000D301}46644740C:\Windows\Explorer.EXE{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.982{D694AEB8-D134-60E2-1A04-00000000D301}46644740C:\Windows\Explorer.EXE{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.967{D694AEB8-D134-60E2-1A04-00000000D301}46644740C:\Windows\Explorer.EXE{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.967{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-10DD-60E3-0E0C-00000000D301}2356C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.967{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-10DD-60E3-0E0C-00000000D301}2356C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.967{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-10DD-60E3-0E0C-00000000D301}2356C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.967{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-10DD-60E3-0E0C-00000000D301}2356C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.951{D694AEB8-B3EA-60E2-1600-00000000D301}1296300C:\Windows\system32\svchost.exe{D694AEB8-10DD-60E3-0E0C-00000000D301}2356C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.951{D694AEB8-B3EA-60E2-1600-00000000D301}12961384C:\Windows\system32\svchost.exe{D694AEB8-10DD-60E3-0E0C-00000000D301}2356C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.951{D694AEB8-10DD-60E3-0E0C-00000000D301}23566608C:\Windows\system32\conhost.exe{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.935{D694AEB8-D131-60E2-0904-00000000D301}17165668C:\Windows\system32\csrss.exe{D694AEB8-10DD-60E3-0E0C-00000000D301}2356C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000001459373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.localInvDBSetValue2021-07-05 14:02:05.935{D694AEB8-B3EA-60E2-1300-00000000D301}900C:\Windows\System32\svchost.exeHKU\S-1-5-21-2647848180-4175332032-3456959373-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\emu.batBinary Data 10341000x80000000000000001459372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.935{D694AEB8-B3EA-60E2-1300-00000000D301}9005724C:\Windows\System32\svchost.exe{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.935{D694AEB8-B3EA-60E2-1300-00000000D301}9005724C:\Windows\System32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.935{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.935{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.935{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.935{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.935{D694AEB8-D131-60E2-0904-00000000D301}17164304C:\Windows\system32\csrss.exe{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.935{D694AEB8-D134-60E2-1A04-00000000D301}46646476C:\Windows\Explorer.EXE{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+18cf7c|C:\Windows\System32\SHELL32.dll+18ccd3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001459364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.941{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\emu.bat" "C:\Temp\ATTACKRANGE\Administrator{D694AEB8-D133-60E2-3BFB-250000000000}0x25fb3b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001459363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.783{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A0FA7DE0E6B10B5516F1537D3519BF,SHA256=DC13D438860C98EEE325D0D186A00C22E9E306D26266F801069FED73B88E3930,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.680{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63347-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001459361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:03.680{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63347-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001459360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:05.121{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C35BC74A0EE06E288256EFAE26E9AEE,SHA256=67D8CA2F034DE9ADAD260406E3FF4BDB1E886BEBB8728BC9E27F9396F7E0304D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:06.943{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1C0A7BA1CDABEAED7FF852574CF428,SHA256=F9C3FBD3CAFA2E5A7574048C22E54B2312D006C7943C6B3D21B4D4E33A60464B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:06.950{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3154CCC12E25D6E3C5E0D34FB6FA848F,SHA256=B5DB973F348D33E0C7FF0FFB6156375F57C1AD0FA3A0D675FD0DB8A1E1762267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:06.950{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EEA47EF62578352A3F9A20E3B77606,SHA256=1E87D42DEBF130A010B6C237DA9D8D012B829EEA58ECBFE27C33B5ACB3640F7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.115{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local65449- 354300x80000000000000001459398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.115{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56185- 354300x80000000000000001459397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.113{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local57641- 354300x80000000000000001459396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.112{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60447- 354300x80000000000000001459395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.111{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54046- 22542200x80000000000000001459394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.658{D694AEB8-F83C-60E2-EF08-00000000D301}6572e11847.g.akamaiedge.net02.18.234.244;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001459393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:04.658{D694AEB8-F83C-60E2-EF08-00000000D301}6572www.ebay.de0type: 5 slot11847.ebay.com.edgekey.net;type: 5 e11847.g.akamaiedge.net;::ffff:2.18.234.244;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x80000000000000001459392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.localDLL2021-07-05 14:02:06.020{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\system32\cmd.exeC:\Windows\mpsvc.dll2021-07-05 14:02:06.020 11241100x80000000000000001459391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.localEXE2021-07-05 14:02:06.004{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\system32\cmd.exeC:\Windows\msmpeng.exe2021-07-05 14:02:06.004 10341000x80000000000000001459390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:06.004{D694AEB8-D134-60E2-1A04-00000000D301}46644616C:\Windows\Explorer.EXE{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:06.004{D694AEB8-D134-60E2-1A04-00000000D301}46644616C:\Windows\Explorer.EXE{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:06.004{D694AEB8-D134-60E2-1A04-00000000D301}46644616C:\Windows\Explorer.EXE{D694AEB8-10DD-60E3-0D0C-00000000D301}5136C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:06.001{D694AEB8-D133-60E2-1404-00000000D301}42124344C:\Windows\system32\taskhostw.exe{D694AEB8-10DD-60E3-0E0C-00000000D301}2356C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000404234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:07.943{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB3BF097BE09236D6DF04BB10894819,SHA256=8D529CE69E0830F3EB2756D27D48CE7AB0746A7B71DF5FE9EE9C869C5DF03291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:08.958{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84E865AE95C241D210D808041E48E7D,SHA256=E8CEB88C42A797D955073706EB2DA27486F8EA8D80EAC76B8485734B346C07E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:08.017{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754AA4EA842B95C91942B5BBD13F441B,SHA256=C62D3F35B11239FF82BBF1C2AEEEA49DD72888DEC1E39DCBA444E7A4A2501B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:09.958{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1204A5421FA740FC4F3E9361171B7B,SHA256=738CBA5DA0E5341087C6167E15C8DE5D86E8AE5AC4A209979352C6C839E62B83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:06.643{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63348-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001459403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:09.032{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB2A58D6762E91A5B326D6153AA7A04,SHA256=5CB9092928FDE843F59ECEA8404595B9AFB8221A2A6BC261A7CAB23F508317BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:08.391{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54305-false10.0.1.12-8000- 23542300x8000000000000000404238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:10.990{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034D47CE09E94AA323CC15FDC4920089,SHA256=A708992285CBB66098CF5C36385D17B036B6FBCC228555A7005DF265C5172F65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.432{D694AEB8-D134-60E2-1A04-00000000D301}46644616C:\Windows\Explorer.EXE{D694AEB8-10E2-60E3-0F0C-00000000D301}7156C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.432{D694AEB8-D134-60E2-1A04-00000000D301}46644616C:\Windows\Explorer.EXE{D694AEB8-10E2-60E3-0F0C-00000000D301}7156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.432{D694AEB8-D134-60E2-1A04-00000000D301}46644616C:\Windows\Explorer.EXE{D694AEB8-10E2-60E3-0F0C-00000000D301}7156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.416{D694AEB8-D133-60E2-1404-00000000D301}42124344C:\Windows\system32\taskhostw.exe{D694AEB8-10E2-60E3-100C-00000000D301}6396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.416{D694AEB8-D133-60E2-1404-00000000D301}42124344C:\Windows\system32\taskhostw.exe{D694AEB8-10E2-60E3-100C-00000000D301}6396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.416{D694AEB8-D134-60E2-1A04-00000000D301}46644740C:\Windows\Explorer.EXE{D694AEB8-10E2-60E3-0F0C-00000000D301}7156C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.416{D694AEB8-D134-60E2-1A04-00000000D301}46644740C:\Windows\Explorer.EXE{D694AEB8-10E2-60E3-0F0C-00000000D301}7156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.416{D694AEB8-D134-60E2-1A04-00000000D301}46644740C:\Windows\Explorer.EXE{D694AEB8-10E2-60E3-0F0C-00000000D301}7156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.400{D694AEB8-D134-60E2-1A04-00000000D301}46644740C:\Windows\Explorer.EXE{D694AEB8-10E2-60E3-0F0C-00000000D301}7156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.400{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-10E2-60E3-100C-00000000D301}6396C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.400{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-10E2-60E3-100C-00000000D301}6396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.400{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-10E2-60E3-100C-00000000D301}6396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.400{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-10E2-60E3-100C-00000000D301}6396C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.400{D694AEB8-B3EA-60E2-1600-00000000D301}1296300C:\Windows\system32\svchost.exe{D694AEB8-10E2-60E3-100C-00000000D301}6396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.400{D694AEB8-B3EA-60E2-1600-00000000D301}12961384C:\Windows\system32\svchost.exe{D694AEB8-10E2-60E3-100C-00000000D301}6396C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.400{D694AEB8-10E2-60E3-100C-00000000D301}6396388C:\Windows\system32\conhost.exe{D694AEB8-10E2-60E3-0F0C-00000000D301}7156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.379{D694AEB8-D131-60E2-0904-00000000D301}17164304C:\Windows\system32\csrss.exe{D694AEB8-10E2-60E3-100C-00000000D301}6396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.379{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.379{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.379{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.379{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.379{D694AEB8-D131-60E2-0904-00000000D301}17165668C:\Windows\system32\csrss.exe{D694AEB8-10E2-60E3-0F0C-00000000D301}7156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001459407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.379{D694AEB8-D134-60E2-1A04-00000000D301}46644516C:\Windows\Explorer.EXE{D694AEB8-10E2-60E3-0F0C-00000000D301}7156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+1f9aa4|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+175730|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+16d7a6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x80000000000000001459406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.387{D694AEB8-10E2-60E3-0F0C-00000000D301}7156C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp"C:\Windows\system32\ATTACKRANGE\Administrator{D694AEB8-D133-60E2-3BFB-250000000000}0x25fb3b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001459405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:10.048{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AE0227AE916F210C82E09D27700255,SHA256=3FE278A7E1B9B01E88FE142E0C1031C77CFE6805E3E03DF447C3E41A5A906C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:11.399{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1A443D2C91C1834CEF2B46F986C70BF,SHA256=49F7906DFB44C8457FF7E58C9F5EE6D0664CA03BD15D4E847D784073AC9B7E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:11.078{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B13E57831660F00573C3506D5FE26C4,SHA256=CDF0C88326AAC5C656904FF25751D1C9A1DB6795E8D02B20A4BF5303BD559A28,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001459436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.localDLL2021-07-05 14:02:12.761{D694AEB8-10E2-60E3-0F0C-00000000D301}7156C:\Windows\system32\cmd.exeC:\Windows\mpsvc.dll2021-07-05 14:02:06.020 23542300x80000000000000001459435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:12.761{D694AEB8-10E2-60E3-0F0C-00000000D301}7156ATTACKRANGE\AdministratorC:\Windows\system32\cmd.exeC:\Windows\mpsvc.dllMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37Afalsetrue 11241100x80000000000000001459434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.localEXE2021-07-05 14:02:12.761{D694AEB8-10E2-60E3-0F0C-00000000D301}7156C:\Windows\system32\cmd.exeC:\Windows\msmpeng.exe2021-07-05 14:02:06.004 23542300x80000000000000001459433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:12.761{D694AEB8-10E2-60E3-0F0C-00000000D301}7156ATTACKRANGE\AdministratorC:\Windows\system32\cmd.exeC:\Windows\msmpeng.exeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37Afalsetrue 23542300x80000000000000001459432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:12.095{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0787FDABA1D28C41B7071BF205ADDB3D,SHA256=081A02FDDEA574CFE8FF5BE375247B0D3B7DE16EA636797EADB44CFC5DDD7B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:12.005{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9189B0163F1793F975F6A3E06BB1D179,SHA256=4F707090479CD97E9E3551BF307853EB5C9C81CCEC2700F89393D94168561681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:13.114{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4E32998912CA15BB4BB260BBA2C5B4,SHA256=68C2FCEA0021559F0E0325A511AD08EF3E9E9FE45E8C55461C1BC8087F8BBD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:13.083{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171E2A4F8B8C43D23AA59BD7D423D911,SHA256=687991968273FE170F231CC7E95776C85CF02881F9557B814BF88B55596689B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:12.634{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001459439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:14.659{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7AEB52F428304634F3AD32BAAEF0BDDC,SHA256=3C91C56384AB57C6FE2F8220261B7032048BECE2544455F6C9BEDB079D14402F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:14.144{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFA41EDAFC407040CA72D785DF037F5,SHA256=03C2A6FF56BC69B28491450002F15723C2A4CE4528E025034603F2B6A192B8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:14.099{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2E35498FCB09F506F5129C9A89280C,SHA256=063C8C7B32EC6FF71AA37E038D30901E33DFFCB779BBF6D352D2F2421627427D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:15.174{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A2DB336C63ACB60A381FD3F9597920,SHA256=5DDA9CB4CEC54EADE3C4F945AF873973DD7CE3463032A9C54202925BF6FF9F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:15.224{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A8571EFD3092F170E4E42F7511A3A7,SHA256=0B27D32660C90D1EBBCE2CB15710754BA839E2CCC737E1A031DE5707F79EC77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:16.318{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C456C77F2AD96DB3B9918563B6B6D7,SHA256=8AF40143FA20BC0E52BE69B71C50EAD7287BD60B1662E7375F08E78A6DD5D8B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:16.191{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E332411FB6ABA26BE5F993333D77BB5E,SHA256=11F1422A1A98AEC6C4D5AACC18C59D9DA47644B205E708980E530E39164BB30E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:14.375{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54306-false10.0.1.12-8000- 23542300x8000000000000000404245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:17.365{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309ACB0992DB59D54207A45B22ED96BA,SHA256=A1957D3474FACA8DF338E368075AD1B41E31C68BA88117C1F4E886C1D6920F88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:17.241{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E243DAE6B83120A8F8D2CACADF2C7BB3,SHA256=8182B74BB56C5388D260B6FFF8FCB0087A6B12FCC15E8517657DC7FD429CBA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:18.380{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2710EFB7C43959D00D321FD13F20016F,SHA256=5522701AB24D23C17CEA14C50F3C58234C1F36A2B0D4EE172C31FD6EF46BDC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:18.255{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C7E5327F2A94EAFCB4BA391EA85CF5,SHA256=D49339423C5A1E626121C521AF0594C58253C8DBD04C8DF4BD83E1E03C996B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:19.552{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C70C4531211D26F1811A39B95C14013,SHA256=7F25957D413F013AD1A4528E11A9ADE790925B1B325E1ECD3287D1FC43BE920A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:19.270{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AB6BD4F19DEB6E42EE61371D2F38AC,SHA256=0811609551A392A634AB9CC1386A711E59A82441CD5919FD4CB262DF350CB1B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:20.568{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2989667E5705E950D0826F8DE5163602,SHA256=35745400FE96A3CD2387DB66AE53B27E8A90CC4AB6A7F5DD58C0D7F08F615C2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:18.628{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63350-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001459446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:20.286{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DA05DBCC574DEC6D147C4E18B986D5,SHA256=C73FDB439DBF1C609A79FB1EDE8A17471314AD593E04CB0364DEA18789AC42E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:20.329{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54307-false10.0.1.12-8000- 23542300x8000000000000000404249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:21.568{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC339610BD4884A638F39F81C58DBE62,SHA256=2872E48C2518A20B177392748E4B89B29ACBF073BF840FBE259E80B6053B999C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:21.305{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377E471837191BFBBBB561EDDFF80B0E,SHA256=7295538C4BF54AF1A24D204BB8C67CB2A12E6D81E3551005DD9151645BB433D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:21.168{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=41CFC3811DCE08C722EF4EE36740DFB2,SHA256=BD7AECB2B6EF927C5FA01216DFBFB1E745FD500CB9DB355E0B1898DC0B5095ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:21.168{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=57B72564F4A67C126CBD2044155D2C56,SHA256=8E3A6EDAE27A06896B4E0067A416B6EF7FE8455A9CBB9E080FAF9374E0622361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:21.168{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=2B4B36E403227AE6681D6D9F9E3F675D,SHA256=130D3C573970140667277A3F09B3180E7EA6629B44A1153E76B9FE397F0BD78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:21.168{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=0C64E0BEDB5DCDC712A436099D48258E,SHA256=571A597CA5ACB23C5C10C72DA96F6318FC5E7A060C211791D7A8E42EFBA0E248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:21.168{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=C48D3C3408D47E7C9EE2C9B513129232,SHA256=8F843FC8238765B299D35283C47C328EC776469C1F6E9C7ABEB5D51C2585368F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:21.168{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=B0E994241A3277135C01294D706ECA6A,SHA256=C21E0DEF2355F6146BFF334306D601C564F74454A262F1A17ED804F129069EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:22.583{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4AA66B40C8074071EEA2E1A22C3B48,SHA256=A31F0401BEDB716A309333298065B7AF9A5B42B37CDFDA5AE8A25B1C596625F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:22.320{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4147148C7969C044B3618ACB1247B06C,SHA256=69DDC1F6C574DA977280A8D9873EFE0CBDB6BFEB27FECAD3693DF81A5729B11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:23.599{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320D8F23FBBAE4A485751F28AA7626B0,SHA256=F7390DD12039A2DD2DDA9558296B58135F96D2DB3C5E790B75A2068B2D1CBBBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:23.334{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44768BB032EF652BE7C6A7CA9F4129DE,SHA256=64C2164126F056AED6A6E1E386A23E8935B4CA7F3EB020F80235C25074010494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:24.599{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B81383375E981DDA777D0FFD331AB5,SHA256=FC1387A76FFB386FA968DE12BD680413521704DAFE96F578CB1AF6ABCA0A5CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:24.349{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F3809F23096A8E7E5DBEB697140474,SHA256=B326869F0F0437C6D3B99DE7F573023E1DF36A7D2F959958E20C12EBBBDD81BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:25.599{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DBF5873BC12546226B0B420D5D2A90,SHA256=B35D7759B835E166740D0ECF23BC1615B6DBB6A7B1291DADF2AE1224A2FCC876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:25.364{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043826504A512A0898F012F14311B152,SHA256=952D0D96D0138119F692792493F03C0464A019C0153B92DAE56BFD3780FFDABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:26.599{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E726FDDEAD8FCB4C0D60D479CF3764,SHA256=85169E184C4EBF748D07482A6A2B2FFCD8F7A5D8E35116FB4F130186B9F937A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:26.381{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6791FCD1734599E1D5BCB8DAACAE482,SHA256=AE3DE141D6B0E72C4E0B4CC8E5B8073D61BB174C83F4756CAF383089178E3210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:26.458{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=85B60C9EDCFD6222F46CB232E8747B98,SHA256=8280CF16D0EB2BE25065CFA09B8DD6A41E8CE32379F507A378297DF54BF96A62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:26.329{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54308-false10.0.1.12-8000- 23542300x8000000000000000404257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:27.599{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194D264139AA25644AB03899F496D80D,SHA256=C93EBC59F0D57F44E9BDC87AB2221BB2D2C405CE14910BCE2676AB29311B4492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:27.388{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835BD0D609DD26225259B19A81495766,SHA256=5B520335E954C5172276BE532C1AF9CCF0DD29D47D820E7C8BFD839FBDAECD42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:24.644{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000404262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:28.599{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E0B1AAC604CAFA22ED4BBF22282930,SHA256=ECCF5EEB35B1052AA89872D253329EC010D060B3EC31084094ABB969FFE008F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:28.407{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B8DB3A54483E0254EED38D84DE6947,SHA256=442FD04E8D655F7D07AA1DE02325C94E4D67BB6D484C0063BB25A49FE31951A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:28.255{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:28.255{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:28.255{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000404263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:29.599{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AD3AD8AD10D0E9B32E75CB7E84E559,SHA256=98632C934AC2FD8E9D9A1D731981079A2E8B290A330ED73B0D0FB67E47720529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:29.422{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F67FF73DA81547B0942AE1756EAE95D,SHA256=6C0F12C4F7DAFC9E627762610381E15E7BD740C0DF378CE3054CF76AE6B637B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:30.599{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1CF45DEACD63A860F3891B94C3DDB9,SHA256=F9507484552B923A684646BE91EEA168163042F2DB644F1F55E15F191481EC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:30.436{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE3251BDD0951CE24B7857F23321B44,SHA256=6C5BD4DB9CC401E328FB90E3F21D162CD9DC6DFE189B22D5B8F9CBE4DC2B97C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:30.337{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=537947905EBDC3447931A688077C96DF,SHA256=A70A969238EC5E885B19EB6FF05857BB50FA4A7347D653DC267EF2E401F73F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:30.337{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD39A47037EB216B3D3401729A10928A,SHA256=3B16846F0C0B60FE4C40B109214ADF99C7C5903C2968F73DA0F1B7A1D5B82BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:31.451{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EE9C81C9D9EF8DAB200E6B5F6942DC,SHA256=9F57EAE4B1AF0DF574B5CEA49F66C5D83836AA9379CE9FFA418E30B6EF299DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:31.833{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:31.599{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C083C5941E6DB28E9F20E00AEDA95D,SHA256=03C3D16A03D32FE5209C5771B097501D9426E4932177479B702CF2A664C896C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:31.267{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:28.281{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-46654-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x8000000000000000404267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:32.615{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBEE3BAA745FCD76CE2ECF0DFC55887,SHA256=269D67711F1A77C2C22E22298EC15DD3F0783069EE8E63526EFEB5B96AA87C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:32.465{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC7A40C33D669043F866B8629C7A5A7,SHA256=FB2210690F970168DB90859BC8F30B99D9DCCB096DCDE9E68F02220EED685D54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000404270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:32.329{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54310-false10.0.1.12-8000- 354300x8000000000000000404269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:32.048{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54309-false10.0.1.12-8089- 23542300x8000000000000000404268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:33.615{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E61B25BD0C7CFA97C91381DFC62BD8,SHA256=23D8D1FAB22BAF974670E9E92ECDF02B6DE674D332DFAC5F64427B2507288C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:33.483{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE63FA30898CEC2466FD0EB7B064ACE,SHA256=562A533FBAA9B9FC56179267F931543B8DDE819691F9003BA0B289983D36D982,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:30.694{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63353-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001459471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:30.609{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63352-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001459475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:34.517{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5165C165D6ACF9ECA37BB4A841CB2CB1,SHA256=9651E13D3799C7AC25EBE038A7F75E3348DCB77C922F54C4597096B1CBE5AEFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.974{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-10FA-60E3-730B-00000000D401}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.974{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.974{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.974{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.974{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.974{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.974{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.974{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.974{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.974{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.974{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-10FA-60E3-730B-00000000D401}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.974{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-10FA-60E3-730B-00000000D401}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.975{7F1C7D0B-10FA-60E3-730B-00000000D401}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000404284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.630{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502EBCCF3232830B6B686E9E1AB0C6F0,SHA256=3603F67919050D627991EFAF811C891441C9CBFBD085FA4053CF178EEAEA45AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.474{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-10FA-60E3-720B-00000000D401}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.474{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.474{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-10FA-60E3-720B-00000000D401}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.474{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-10FA-60E3-720B-00000000D401}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:34.475{7F1C7D0B-10FA-60E3-720B-00000000D401}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001459474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:34.233{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3971A8EDF757D4CFA158A61C27391786,SHA256=71A0401F9A2A6E842219AD718CD733DCCF9AB41A7A912B19490571838998A882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:35.531{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72DB849928FD06F5D37FD740C1756F4,SHA256=2A8C5EF582EFBD4EF0B89A613E41D01494510A7996DC3B83AD3D7BF3572757A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.693{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCE0A8B3DBB9A399AD62C7C43C829D9,SHA256=A09CC9F6A928906E828E6F9DC6CCBA394D21E1BA65A1578ACBDA0FDB7C672412,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.490{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-10FB-60E3-740B-00000000D401}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.490{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.490{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.490{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.490{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.490{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.490{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.490{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.490{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.490{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.490{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-10FB-60E3-740B-00000000D401}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.490{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-10FB-60E3-740B-00000000D401}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.490{7F1C7D0B-10FB-60E3-740B-00000000D401}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000404300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.474{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D845F47BC758687CE17086B25A513FD,SHA256=3FCF3ED2902EB6009205EE9951B5955B41C9543D77E70F5E9C329D101D3C1C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.474{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D26231839A1DE81CC75322C32E6F9F0,SHA256=744BC23C1D4D81189DE3599CD2D5DE64F32C462A447E9FC2DA4D9E3424165A64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:35.224{7F1C7D0B-10FA-60E3-730B-00000000D401}2324736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001459477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:36.546{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85899BB1351E3C349980851DA45CEDC2,SHA256=E78B41D303DC5EB97222F9CD093C0EE1232AFE13899FED30C413729EB35289DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:36.693{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D15CF9FCE5F10C8AC655B1A5D59BD00,SHA256=2A7D3D8E129D1F4FD1EBA1978161832E48FF7443B5142E064F149CC090A1CBC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404315Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:36.661{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D845F47BC758687CE17086B25A513FD,SHA256=3FCF3ED2902EB6009205EE9951B5955B41C9543D77E70F5E9C329D101D3C1C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:37.724{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F85947509C1DE7AC6EA583E10103D6,SHA256=3E8CCDEBF9753942245E054DF75BDD732DBF699ECDC435EE7CAF19E791D1315E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:37.579{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFAA5419ADA57E0B49DA43079F9B225,SHA256=E7F87FE0AA2C811FEE76910247D8125F02D7542CCA7ECB62548D285385492481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:38.724{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7DC838648D3ED4E32FB93D9D9B2385,SHA256=4E5843990A0B806EF3A8ED16D712ACBF9B95DC26BB2A6AABAEABB3E0D3B91E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:38.597{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAE167CBF207D3F6D6D5EE754B407F4,SHA256=2A935AC48F1CCD60CDF689547992BC2A24B4BD23E20E10139A066504588DABA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001459479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:35.620{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local63354-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000404346Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.818{7F1C7D0B-10FF-60E3-760B-00000000D401}15601072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001459481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:39.612{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6696DD212F727CCD2D372F8BA8E23E7D,SHA256=F72D9F726E21C2CD78F9892B90791E73D8FF35486987713978CCCF0A9A6BA057,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404345Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.583{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-10FF-60E3-760B-00000000D401}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404344Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404343Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404342Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404341Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404340Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404339Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404338Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404337Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404336Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404335Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.583{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-10FF-60E3-760B-00000000D401}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404334Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.583{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-10FF-60E3-760B-00000000D401}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.584{7F1C7D0B-10FF-60E3-760B-00000000D401}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000404332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.333{7F1C7D0B-10FF-60E3-750B-00000000D401}7603980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.083{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-10FF-60E3-750B-00000000D401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.083{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.083{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404328Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.083{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404327Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.083{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404326Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.083{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404325Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.083{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404324Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.083{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404323Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.083{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404322Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.083{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404321Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.083{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-10FF-60E3-750B-00000000D401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404320Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.083{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-10FF-60E3-750B-00000000D401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404319Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:39.085{7F1C7D0B-10FF-60E3-750B-00000000D401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000404377Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.943{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8272A538B1F10A7C87A8379B9D0F43B,SHA256=E596B90867A999FCA241B7B0A7525B767D2F5771DD644A055834781C930C92E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001459482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:40.627{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C824049D819AF9B0DAAB63E9B7FBC21,SHA256=FFE7DE60468CBE895A23B5D52ACD5EB7B9C79A662DF1AE1F7562079DA384CA25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404376Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.755{7F1C7D0B-1100-60E3-780B-00000000D401}33163508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404375Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.583{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1100-60E3-780B-00000000D401}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404374Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404373Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404372Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404371Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404370Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404369Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404368Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404367Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404366Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.583{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404365Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.583{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-1100-60E3-780B-00000000D401}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404364Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.583{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1100-60E3-780B-00000000D401}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404363Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.584{7F1C7D0B-1100-60E3-780B-00000000D401}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000404362Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.302{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A3FF00BE8D4D61D640B3FFED1A553FD,SHA256=89796CE9B1A460C636250B049E8F70F4A18AAFEE7C1DC08DE15396C645EF0973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404361Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.224{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80EE28F0761985BC95ED3FFE1F91AB37,SHA256=E509C7D4CAFCE511F3B7105A8D79FC71A08F31DB2F05AF531DBF38CDCF1A85A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000404360Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.084{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-1100-60E3-770B-00000000D401}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404359Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.084{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-1100-60E3-770B-00000000D401}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000404358Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404357Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404356Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404355Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404354Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.084{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-1100-60E3-770B-00000000D401}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404353Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404352Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404351Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404350Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404349Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.084{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7521524C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000404348Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:40.085{7F1C7D0B-1100-60E3-770B-00000000D401}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000404347Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:38.329{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal54311-false10.0.1.12-8000- 23542300x80000000000000001459483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 14:02:41.641{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B3D5E594DE485DFBC94EED3CA96E08,SHA256=945B44A59E9029B24E0004EED3728B4C97960E0889738B22B58D9C951BCA90BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404378Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:41.583{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C78F2C3DA40CCC614031F42C6BEE0DB,SHA256=A4E1BDAF96187F664E1049E154C613F307D617153B81B060B4B57737A6298D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000404379Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 14:02:42.177{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E973460423627A047635266AD5EAE1,SHA256=584F925469D2B88F24C8D5536F8C67FA1813B2C1984F66CC08702C3B7C8E9858,IMPHASH=00000000000000000000000000000000falsetrue